US20070107051A1 - System for and method of managing access to a system using combinations of user information - Google Patents
System for and method of managing access to a system using combinations of user information Download PDFInfo
- Publication number
- US20070107051A1 US20070107051A1 US11/367,085 US36708506A US2007107051A1 US 20070107051 A1 US20070107051 A1 US 20070107051A1 US 36708506 A US36708506 A US 36708506A US 2007107051 A1 US2007107051 A1 US 2007107051A1
- Authority
- US
- United States
- Prior art keywords
- questions
- user
- question
- access
- responses
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
Definitions
- This invention relates to computer security. More particularly, this invention relates to systems for and methods of increasing the security of computer systems using combinations of user-supplied information.
- Single-phrase password systems are easy to circumvent, such as by interception, by “brute-force” software programs that generate multiple combinations of characters, which are entered into the system, or by programs that snoop around system memory looking for possible passwords. Furthermore, many people write down their passwords, because they are non-intuitive and thus difficult to remember.
- Some prior art systems use one-time password modules. Using these modules, a user inputs a seed into a one-time password generator, which generates a list of multiple passwords of seemingly random characters. The system on which these passwords are to be used will accept each password on the list only once. Thus, even if an eavesdropper were to intercept a password that an authorized user has used or is using to log on to the system, the eavesdropper cannot use the password. Because it has been used by the authorized user, it cannot be used again.
- One-time password modules have the disadvantage of generating strings of random characters that are incomprehensive, non-intuitive, and thus difficult to remember. Users often write the list of passwords down, compromising the security of the system if the list is found and later used by an unauthorized user.
- the present invention is used to control access to protected data, data that is protected by encryption, by limiting access to directories in which it stored, or by other means.
- the data is owned or controlled by organizational levels in an entity.
- a corporate level owns and controls confidential data that only those on the corporate level, such as chief operating officers (COOs) and the like, should have access to.
- COOs chief operating officers
- an engineering level owns and controls data that not only engineers, but also the COO should have access to. Users are granted permission to access data by authenticating themselves and then receiving encryption and decryption keys that allow them to access protected data.
- Embodiments of the invention provide increased security by randomly selecting questions used to challenge anyone attempting to log on to the system. By randomly selecting questions and ensuring that the selected questions are not asked too often, the system ensures that even if an unauthorized user learns of the questions and answers used during one logon session, those answers cannot later be used to gain unauthorized access to the system.
- a method of controlling access to a system comprises performing a test that includes comparing input responses to randomly selected questions with corresponding pre-determined responses to the questions and granting access to the system in the event the test is passed.
- a first condition of passing the test is that each input response matches a corresponding pre-determined response.
- a pre-determined response is a pre-determined correct answer to its corresponding question.
- a pre-determined response is a pre-determined incorrect answer to its corresponding question.
- the method further comprises presenting the questions sequentially. In an alternative embodiment, the method further comprises presenting the questions concurrently. In one embodiment, a second condition of passing the test is entering the input responses into the system in a pre-determined sequence.
- Questions are able to be presented using any number of means including, but not limited to, display screens, voice modules, and the like. Responses are able to be received using any number of means including, but not limited to, keyboards, mice, touch screens, biometric sensors, joy sticks, and voice recognition modules.
- the method further comprises displaying questions and candidate responses in a multiple choice format.
- a first condition of passing the test is selecting a pre-determined question and providing a corresponding pre-determined response to the question.
- the test is failed by selecting a question that has no corresponding pre-determined response.
- the method further comprises displaying candidate responses that include correct answers to the questions and also incorrect answers to the questions.
- granting access to the system comprises decrypting information on the system using a decryption key, encrypting information using an encryption key, or both.
- the method further comprises selecting a question for display based on a time that the question was last displayed. Alternatively, or additionally, the method further comprises selecting a question for display based on a number of times the question was displayed within a pre-determined time period.
- a method of controlling access to a system comprises selecting a combination of questions for presentation to a user; determining a classification of the user on the system; and granting access to an area of the system based on both responses to the combination of questions and the classification.
- the classification corresponds to a membership of the user in one or more of a corporation, a division, a department, a group, and a project.
- the combination of questions is randomly selected.
- the area of the system corresponds to any one or more of a disk partition, a file system, a portion of a database, a directory, an electronic folder, an electronic file, and a data object.
- the method further comprises displaying the combination of questions using a user interface protocol.
- the user interface protocol comprises displaying candidate responses to the questions as multiple choices.
- the method further comprises encrypting a response input by the user using an encryption key to generate an encrypted input response and granting access to the system in the event that the encrypted input response matches a corresponding encrypted system response.
- Granting access to the system comprises decrypting the area of the system using a decryption key corresponding to the encryption key.
- encryption and decryption are performed in a system kernel.
- granting access to the area comprises determining permissions to the area corresponding to the classification.
- the classification has a hierarchical structure that corresponds to an organizational structure of an entity.
- a module for controlling access to a system comprises means for randomly selecting a combination of questions and means for granting access to the system in the event user responses to the questions match corresponding system responses to the questions.
- the module further comprises means for displaying the combination of questions.
- the means for displaying displays the combination of questions sequentially.
- the means for displaying displays the combination of questions concurrently.
- the means for selecting a combination of questions comprises a memory for storing information for tracking questions presented to a user.
- a module for controlling access to a system comprises means for displaying a randomly selected combination of questions to a user and a grant component for granting access to the system based on a classification of the user and responses of the user to the questions. Granting access to the system comprises granting access to one of an encryption key, a decryption key, or both, for accessing data on the system.
- a network of devices comprises one or more user devices and an access control module.
- the access control module is for granting access to protected data to multiple users using the user devices. Each user from the multiple users is granted access based on his position in an organization and on his responses to a combination of randomly selected questions.
- FIG. 1 shows hierarchically-arranged levels of an organization, data owned within several of the levels, and users attempting to access the data in accordance with the present invention.
- FIG. 2 shows the steps of a process for authenticating a user and using permissions granted to him for accessing data, all in accordance with the present invention.
- FIG. 3 shows a corporate access control module, an authentication module, and an access parameter module in accordance with the present invention.
- FIG. 4 shows how the authentication module in FIG. 3 is used to generate keys for accessing protected data in accordance with the present invention.
- FIG. 5 shows a Karnaugh map corresponding to permissions for granting access to a user in accordance with the present invention.
- FIG. 6 shows a logic diagram corresponding to the Karnaugh map of FIG. 5 .
- FIG. 7 shows a graphical user interface (GUI) displaying a combination of questions for challenging a user in accordance with the present invention.
- GUI graphical user interface
- FIG. 8 shows another GUI displaying a combination of questions for challenging a user in accordance with the present invention.
- FIG. 9 shows a data structure for selecting a random combination of questions to challenge a user in accordance with the present invention.
- FIG. 10 shows another data structure for tracking questions already asked a user in accordance with the present invention.
- FIG. 11 shows steps for tracking questions displayed in accordance with the present invention.
- FIG. 12 shows the data structure of FIG. 10 and similar data structures, all used to track questions already asked in accordance with the present invention.
- FIG. 13 shows a question and answer array in accordance with one embodiment of the present invention.
- FIGS. 14 A-C show arrays used to randomly select questions and answers in accordance with one embodiment of the present invention, after authorizing a user at three different times.
- FIG. 15 shows steps for using the data elements in FIGS. 13 and 14 A-C in accordance with one embodiment of the present invention.
- a system provides access to system data based on (1) a user's ability to answer randomly selected questions, (2) a user's classification within an organization, or (3) both.
- the system ensures that even an eavesdropper cannot use answers provided to the questions, since those questions are unlikely to be asked (and their corresponding answers expected) the next time the system is accessed.
- the system checks the classification or position of the user (e.g., corporate director, manager in accounting, or engineer) and grants the user access to only those data for which he has permission.
- a user must correctly answer a combination of three randomly selected questions.
- the user must correctly answer fewer than three or more than three randomly selected questions.
- FIG. 1 shows an exemplary hierarchical tree structure 100 illustrating several organizational levels and used to explain embodiments of the present invention.
- the hierarchical structure 100 includes a corporate level 101 , a division level 103 , and a project level 105 .
- the corporate level 101 contains one corporation 10 A
- the division level 103 contains three divisions 103 A-C
- the project level 105 contains three projects 105 A-C.
- the corporation 101 A owns a database 130 to which access is controlled (a “protected” database)
- the division 103 A owns a protected electronic folder 135
- the project 105 A owns a protected electronic file 140 .
- a user 120 is part of the division level 103 and a user 122 is part of the project level 105 .
- both of the users 120 and 122 have successfully answered randomly selected questions to verify their identity to the system and thus their position in the organizational hierarchy (e.g., a corporate director, manager in accounting, or engineer).
- the user 120 is able to access the protected folder 135 because (1) he answered randomly generated questions correctly and (2) his position in the organizational hierarchy permits him to access the folder 135 .
- the position of the user 122 does not allow him to access the folder 135 .
- the unbroken line connecting the user 122 to the protected file 140 indicates that the user 122 is allowed to access the protected file 140 .
- This example thus illustrates how embodiments of the invention grant access to system data based on users' positions in an organizational hierarchy. As described in more detail below, the system grants access to data on the system by associating “permissions” for the data with the user.
- This example also illustrates another advantage of the present invention.
- the user 120 verifies his identity, he is challenged with the randomly selected combination of questions A, B, and C, to which he provides the correct responses A′, B′, and C′. Even if the user 122 were to view or otherwise intercept the responses A′, B′ and C′, and tried to log on as the user 120 , he would be challenged with a new randomly selected combination of questions D, E, F, with the corresponding correct responses D′, E′, and F′.
- the responses A′, B′, and C′, which the user 122 now has, cannot be used by the user 122 to log on to the system as the user 120 .
- embodiments of the system check to make sure that the questions A, B, and C are not asked again, either alone or in the same combination, within a pre-determined time period or within a pre-determined number of iterations.
- the user 120 enters the questions A, B, C, D, E, and F and provides the corresponding responses A′, B′, C′, D′, E′, and F′.
- the user 120 generally chooses personal questions to which few within his organization know the answers, questions such as “What is my favorite team?” or “How many nephews do I have?”
- the user 120 is also able to select “incorrect” responses to questions. For example, for the question “How old am I,” the user 120 is able to select the response “22” even though the user 120 is much older. In other words, by responding with the “incorrect” answer “ 22 ,” the user 120 is able to verify his identity and thus access the system.
- the system is able to grant a user access to system data in any number of ways. These include, but are not limited to, (1) granting to the user or user applications a key for decrypting system data (such as when the user wishes to read data that has been encrypted and stored on the system) or another key for encrypting data (such as when the user wishes to write data) and (2) granting the user permission to traverse a directory, to name a few ways.
- a key for decrypting system data
- another key for encrypting data such as when the user wishes to write data
- granting the user permission to traverse a directory to name a few ways.
- a user is granted a key
- its use is “transparent”; that is, the user does not see the key or do anything special to use it.
- the operating system or other applications use the encryption and decryption keys without user interference.
- FIG. 1 shows a rather simple organizational structure used to describe the invention.
- Embodiments of the present invention are able to be used with more complex organizational structures, tree-like or not, such as one in which a corporation contains multiple divisions, each division contains multiple business units, each business unit contains multiple departments, each department contains multiple groups, each group contains multiple projects, and each project contains multiple individuals.
- FIG. 2 shows the steps of a process 150 for determining whether a user is able to access protected data.
- a user is authenticated, such as by correctly answering a randomly selected combination of questions. If the user answers the questions correctly, the process continues to the step 153 ; otherwise, the process continues to the step 159 , where the process ends.
- the process determines permissions to grant the user, based in whole or in part on his position in an organization that owns the system.
- the process determines whether the user's permissions allow him to access the data.
- step 157 the user accesses the data, from which the process proceeds to the step 159 , where the process ends. If, in the step 155 , the process determines that the user is not allowed to access the data, the process continues to the step 159 , where the process ends.
- FIG. 3 shows modules of a system 200 in accordance with the present invention.
- the system 200 comprises a corporate access control module 210 , an authentication module 240 , and an access parameter module 260 .
- the corporate access control module 210 includes a corporate vector 222 and a corresponding permissions vector 230 .
- the corporate vector 222 has the components 222 A-G, and the permissions vector 230 contains permissions for each component.
- a corporate level 222 A has permissions 230 A (shown with the placeholder “-x-”), a divisional level 222 B has permissions 230 B, a business unit level 222 C has permissions 230 C, a department level 222 D has permissions 230 D, a management group (“group”) level 222 E has permissions 230 E, a project team (“team”) level 222 F has permissions 230 F, and a user level 222 G has permissions 230 G.
- the exemplary permissions 230 A define the permissions of a user at the corporate level 222 A.
- a user at the corporate level 222 A has permissions to access any file anywhere on the system, regardless of what level owns the file.
- the permissions 230 E of a user at the group level 222 E allows that user to access only data owned by that group.
- the components 230 A-G of the permissions vector 230 are set by a system administrator during system initialization.
- a head of a level e.g., a department manager sets permissions for members in the level.
- protected data are encrypted with encryption keys that have corresponding decryption keys; permissions define which keys a user is granted and thus which data a user is able to decrypt and thus access.
- a user at the corporate level is granted a corporate encryption key and a corporate decryption key (collectively called a corporate master key); a user at the divisional level is granted a divisional master key; etc.
- the corporate key decrypts and encrypts all data within the user's organization.
- a divisional master key decrypts and encrypts all data owned by the business unit level, the department unit level, all the way down to the user level.
- the permissions vector 230 is thus used to define permissions to all users based on their positions in the organizational hierarchy.
- the access parameter module 260 illustrates the components of a permissions sub-vector (e.g., 230 A) of the permissions vector (e.g., 230 ), containing permissions for both encrypting, such as when a user is writing to a protected area, and decrypting, such as when a user is reading from a protected area.
- a permissions sub-vector e.g., 230 A
- decrypting such as when a user is reading from a protected area.
- the permissions for decrypting are indicated by the sub-vector 261 , which indicates permissions for read 262 , execute 263 , share 264 , and copy 265 , shown by the corresponding code “R” 262 A (for read), “X” 263 A (for execute), “S” 264 A (for share), and “C” 265 A (for copy), generally referred to as permissions “RXSC.”
- the permissions for encrypting are indicated by the sub-vector 271 , which indicates permissions for write 272 , delete 273 , move 274 , and modify 275 , shown by the corresponding code “W” 272 A (for write), “D” 273 A (for delete), “Mv” 274 A (for move), and “M” 275 A (for modify), generally referred to as permissions “WDMvM.” It will be appreciated that other permissions and combinations of permissions are allowable in accordance with the present invention, such as “not copy.”
- the authentication module 240 comprises a question and response component 241 that, as shown in the example of FIG. 2 , presents and receives, respectively, the question “User Question 1 ” and the corresponding response “User Answer 1 ”; the question “User Question 2 ” and the corresponding response “User Answer 2 ”; and the question “User Question 3 ” and the corresponding response “User Answer 3 .”
- the system determines a user name and key combination 245 , which grants the user permission to access system data in accordance with the present invention.
- questions and answers are encrypted and stored on the system. This ensures that the question and answer pairs stored on the system cannot be read and later used by an unauthorized user.
- a selected question is decrypted and presented to a user.
- the user's response is encrypted and compared to the encrypted response stored on the system to determine whether the user entered a correct response.
- the permission vector 230 is generated by a system administrator, with the corresponding access parameters 261 and 271 .
- the system administrator is automated by a key management system, and the permission vector 230 is generated when a user is registered on a system.
- a user uses the authentication module 240 to verify his identity. After verifying the user's identity, the authentication module 240 uses the access parameters 261 and 271 to determine a key for granting a user. The system then uses the key for granting the user access to system data.
- FIG. 4 is used to explain in more detail the operation of one embodiment of the present invention.
- FIG. 4 shows the authentication module 240 of FIG. 3 coupled to an access module 270 .
- the access module 270 receives the user name and key combination generated by the authentication module 240 , determines an owner, department, and permissions (collectively, 280 ) from the user name and key combination, which is then used to make system calls 281 in the system user space 281 to access protected system data in accordance with the present invention.
- the user name is a unique identifier, such as a user identifier.
- the user identifier is encoded and compared to a stored encoded user identifier to authenticate the user.
- FIG. 5 shows a Kamaugh map 300 having rows 310 and columns 320 .
- the Kamaugh map 300 is easily understood by those skilled in the art and is not discussed in great detail here.
- Each of the rows 310 is labeled with a three-bit identifier.
- Each bit corresponds to an access to protected data, labeled here as “N,” for “Non Access”; “S,” for “Shared Access”; and “A,” for “Access.”
- Each of the columns is also labeled with a three-bit identifier.
- Each bit corresponds to an organizational level, labeled here as “G,” for group; “P,” for project; and “U,” for user.
- a circled “1” in the intersection of one of the rows 310 and one of the columns 320 indicates that access to protected data is allowed.
- the non-circled number in the intersection corresponds to a similarly numbered logic component shown in the corresponding logic circuit 350 , illustrated in FIG. 6 , used, for example, to implement the Karnaugh map 300 in software.
- the logic circuit 350 shows as inputs (1) a corporate vector 353 corresponding to the group 042 and the project 04 and (2) the permissions vector 355 for non-access, shared access, and access.
- the output 360 of the logic circuit 350 determines whether a decrypt command, signaling that the user 001 , who belongs to the group 042 , and the project 04 , is granted access to a decryption key.
- FIG. 5 and the corresponding FIG. 6 correspond to only the lower half of a logic circuit for implementing the present invention, since they are the end point of the chain of command over the access rights. Those skilled in the art will recognize how to construct the upper half of the logic circuit. Those skilled in the art will also recognize that a logic circuit similar to that shown in FIG. 6 is used to generate an encryption command, signaling that the user is allowed, for example, access, shared access, copy, read, or no copy access to an encryption key.
- FIG. 7 shows a graphical user interface (GUI) 400 that forms part of an authentication module, used together with a corporate access module in accordance with the present invention, or independently of the corporate access control module. Using both together increases the security provided by a system of the present invention.
- the GUI 400 displays (1) a first question 403 A and an area 403 B (collectively, block 403 ) to input its corresponding response; (2) a second question 405 A and an area 405 B (collectively, block 405 ) to input its corresponding response; and (3) a third question 407 A and an area 407 C (collectively, block 407 ) to input its corresponding response.
- the user selects the “Go” button 409 , and the system attempts to authenticate the user.
- the questions 403 A, 405 A, and 407 A are selected randomly, such as described below. That is, when a user first accesses the system, the system selects a first combination of the questions A, B, and C, which are then presented to the user. When a user next accesses the system, the system selects a second combination of questions D, E, and F. Preferably, to increase the probability that the first combination differs from the second combination, each of the questions A-F is selected randomly. In one embodiment, the system nevertheless checks whether any of the questions A-F (1) are the same, (2) were asked recently, within either a time frame or a sequence of combinations asked, or (3) were asked in any way that would allow previous answers to be helpful to an unauthorized user. If, for example, the question D is the same as question A, another question is randomly selected and asked instead of question D.
- the GUI 400 is presented to a user according to a user interface protocol.
- user interface protocols according to the present invention present questions to a user (1) concurrently, (2) sequentially, or (3) in a multiple-choice format, to name a few formats.
- a user interface protocol uses a “concurrent display”
- all of the blocks 403 , 405 , and 407 are presented to the user at one time.
- a user interface protocol uses a “sequential display”
- the block 403 is presented to the user first. If the user enters the correct response, then the block 405 is then presented to the user. If the user enters the correct response, then the block 407 is presented to the user.
- the user If the user again enters a correct response, then the user is authenticated, allowed access to the system, and granted permission to access protected data based on his position. The next time the user accesses the system, the system displays questions different from 403 A, 403 B, and 403 C.
- the GUI 500 shown in FIG. 8 is displayed.
- the GUI 500 displays a question area comprising a block 501 that contains a question 501 A and an input area 501 B for entering a letter corresponding to an answer to the question 501 A; a block 503 that contains a question 503 A and an input area 503 B for entering a letter corresponding to an answer to the question 503 A; a block 505 that contains a question 505 A and an input area 505 B for entering a letter corresponding to an answer to the question 505 A; a block 507 that contains a question 507 A and an input area 507 B for entering a letter corresponding to an answer to the question 507 A; and a “Go” button 520 for launching the authorization process.
- the GUI 500 also displays a candidate answer area containing multiple letter and answer pairs: the entry 510 with the letter “A” indicating the answer “Blue,” the entry 511 with the letter “B” indicating the answer “Yellow,” the entry 512 with the letter “C” indicating the answer “Purple,” the entry 513 with the letter “D” indicating the answer “Pink,” the entry 514 with the letter “E” indicating the answer “Green,” and the entry 515 with the letter “F” indicating the answer “Gold.”
- the letters A-F are input into the input areas 501 B, 503 B, 505 B, and 507 B. If the letters correspond to the answers that the user input into the system as the “correct answers,” then the user is authenticated.
- the system requires that a user answer questions in a pre-determined order.
- the system is configured to authorize the user only if he answers the question 505 A first, the question 501 A next, the question 507 A next, and the question 503 A last. This is accomplished in one embodiment using event handlers, to make sure that the events corresponding to entering data in the areas 501 B, 503 B, 505 B, and 507 B occur in the following order: entering data in 505 B, then 501 B, then 507 B, and finally 503 B.
- the authentication module requires that the user select only a subset of the questions 501 A, 503 A, 505 A, and 505 A for answering. If the user answers all of the questions or selects the wrong subset, he is not authorized. If the user provides the wrong answer to a question, even if the correct questions are selected, he is not authorized.
- GUI 500 shows more questions than answers
- GUIs in accordance with other embodiments of the present invention have the same number of questions and answers or more questions than answers, such as when only a subset of questions must be answered to authenticate a user.
- a user learns that he has not been authorized as soon as he answers a question incorrectly.
- the user learns that he has not been authorized only after he has attempted to answer all of the questions posed to him. In this way, the user does not learn which question he answered incorrectly, information he could use later when guessing at answers to the questions.
- FIGS. 9-15 are used to explain how questions are randomly selected according to embodiment of the invention and how the system ensures that questions are not repeated too often.
- FIG. 9 shows an exemplary data structure 550 used to select one question in a combination of questions presented to a user. It will be appreciated that multiple data structures 550 are used to ask the combination of questions to a user. Thus, for example, when a combination of three questions are asked a user, the system requires three of the exemplary data structures 550 .
- the data structure 550 includes a first element 551 , a second element 555 , and a third element 557 .
- the element 557 stores a list of question and answer pairs in a “question and answer” array.
- the elements of the question and answer array are addressable and selected by indices, which, as described below, are randomly generated.
- the indices are generated (and the question and answer pairs thus selected) using a pseudo-random number generator, generally referred to as a “PRNG,” often supplied as a program library function.
- PRNG pseudo-random number generator
- the element 551 stores a seed for the PRNG.
- the element 555 preferably stores an index or other identifier to the question last selected using the data structure 550 .
- a system time function is called.
- the system time function returns the number of seconds that have elapsed since a pre-determined date (Unix, for example, uses Jan. 1, 1970).
- the value returned by the function can be used as a random number that is modified such as by (1) truncation, (2) as the first operand to the modulus operator with the array size as the second operand, and (3) taking a subset (e.g., the fist three digits) of the value and again using the modulus operator with the array size as an operand.
- the system spawns a process, thereby generating a process identifier and modifies the process identifier in the same way as the value returned by the system time function.
- the spawned process is then killed to conserve system resources.
- any sequence of numbers generated with good distributions, minimum repetition, and lack of predictability, whether generated using a pseudo-random number generator or not, is referred to as randomly generated numbers.
- the seed is supplied to the PRNG, thereby generating a first random number.
- the random number is then modified (such as by truncation or by using the modulus operator) to determine an index into the question and answer array.
- the question stored in the question and answer array at the index is then presented to the user.
- the first random number or an integer derived from it is used as an input to the PRNG, thereby generating a second random number.
- the second random number or an integer derived from it is used as an input to the PRNG, thereby generating a third random number.
- the third random number is then converted to an index into an array of question and answer pairs to select a question to challenge a user.
- the index can be determined, for example, by multiplying the number by a scale factor, truncating the remainder, and then using the modulus operator with the operand the total number of elements (e.g., questions) in the array.
- a first random number is generated within the range of 1 to 3.
- This first generated random number is then input to a function (f) which receives inputs and generates a random number within a range of 1 to 18.
- the output of the function (f) is then input to a function (g), which receives inputs and generates a random number within a range of 1 to 36.
- the output of the function (g) is dependent on randomly generated number and is said to function as g(f(x)), where x is a number in a range of 1 to 3.
- the output of g(f(x)) is used to generate an index into the question and answer array to randomly select questions for display to a user.
- the random number generator based on the functions g and f are thought of as a three-wheel combination wheel, with the inner wheel corresponding to x, the middle wheel corresponding to the function f, and the outer wheel corresponding to the function g. It will be appreciated that the measure of randomness increases with the ranges of x, the function f, and the function g.
- FIG. 10 shows an area 600 for use in a data structure used to track what questions and combinations of questions have already been asked and when they were asked. Because questions are always asked as part of a combination of questions, the area 600 is used to track all of the questions from the combination of questions. This is described more clearly in FIG. 12 .
- the system is set up to challenge the user with three questions from a pool of thirty-six questions.
- three data structures e.g., 550
- one each to pose a question in the combination of questions are used.
- the area 600 comprises a current question area 601 , a previous question area 620 , and a later question area 640 .
- Each of the areas 601 , 620 , and 640 contains a table with rows that store index and time pairs.
- the exemplary area 601 contains rows 605 - 607 .
- the row 605 contains a first entry 605 A and a corresponding second entry 605 B.
- the first entry 605 A contains the value “10,” which indicates that the current question to pose is stored in the question array at index 10 .
- the second entry 605 B contains the value “0001,” which indicates that the question at index 10 was asked “0001” time units (e.g., seconds) ago.
- the row 606 contains a first entry 606 A and a corresponding second entry 606 B.
- the value “8” in the first entry 606 A and the value “0004” in the corresponding second entry indicate that the question at index 8 in the question array was asked “0004” time units ago.
- the previous question area 620 and the subsequent question area 640 both contain corresponding index and time pairs indicating questions and times they were asked, selected for another question in the combination of questions.
- the question and answer pairs are selected from the same question array so that the indices 605 A, 606 A, 607 A, 621 A, 622 A, 623 A, 641 A, 642 A, and 643 A all refer to questions in the same or copies of the same question and answer array.
- FIG. 11 shows the steps 700 of a process for using the data structure 600 in accordance with one embodiment of the present invention.
- an index is randomly generated, thereby selecting a question stored in a question and answer array at the index.
- the process determines whether the question was asked before, as shown by its entry in the data structure 600 . This determination is made by checking whether the index is stored in any of the entries 605 A, 606 A, 607 A, 621 A, 622 A, 623 A, 641 A, 642 A, and 643 A (collectively, the “system index entries”). If the index is not among the system index entries, the process continues to the step 707 , where the question is displayed.
- the process continues to the step 705 , where the process determines whether the question was asked sufficiently long ago. For example, if the question was asked a year ago, the system assumes that an unauthorized user either has not seen the question before or cannot remember the answer, and thus allows the question to be asked. This determination is made by checking the corresponding timestamp for the entry containing the index, stored in one of the entries 605 B, 606 B, 607 B, 6211 B, 622 B, 623 B, 6411 B, 642 B, and 643 B.
- the question (among the combination of questions asked) is displayed to the user.
- the index to the question and its current timestamp is stored in the area 601 and also in the areas 620 and 640 of data structures used to ask the other questions in the combination of questions.
- the data structures used to ask the other questions can also keep track of the questions asked.
- the data structures 601 , 620 , and 640 are implemented as “stack” data structures, so that new index and timestamps are pushed onto the top of the data structures 601 , 620 , and 640 . The bottom element of the stack is discarded, indicating that it is “old” and thus was asked long enough ago that it can be asked again.
- the data structures 601 , 620 , and 640 are able to store many more than 3 elements each (e.g., rows 605 A, 606 A, and 607 A). Only in this way can “old” elements truly be considered old enough that they can be asked again.
- step 711 the answer input by the user is read and, in the step 713 , compared with the correct answer stored in the system. If the answer is correct, the process proceeds to the step 715 , where it is determined whether any more questions are to be asked. If more questions are to be asked, the process loops back to the step 701 ; otherwise, the process continues to the step 717 , where the process ends. Similarly, if in the step 713 , the process determines that the answer is incorrect, then the process also continues to the step 717 , where the process ends.
- FIG. 12 shows the data structure 600 of FIG. 10 , used to select one question to ask as a combination of questions asked during the authorization step.
- FIG. 12 also shows a data structure 660 for asking a second question and a data structure 650 for asking a third question, both also part of the combination of questions.
- labeled components refer to the same or identical copies of the same component. It will be appreciated that a combination of questions can include more than three questions, and if it does, a corresponding number of data structures similar to the data structure 600 are used.
- the arrows shown in FIG. 12 connect a data structure 601 , 620 and 640 with the corresponding questions posed to a user.
- the arrow from the element 620 in the data structure 600 (referred to as the element 600 - 620 ) pointing to the data structure 660 indicates that the element 600 - 620 contains the questions and corresponding timestamps selected using the data structure 660 .
- Other elements in FIG. 12 are similarly labeled AAA-BBB, where AAA refers to a data structure and BBB is the element within the data structure AAA.
- the questions selected using the data structure 660 are the first questions in the combination of questions posed to a user.
- the data structure 660 contains a list of questions and timestamps ( 660 - 601 ) selected using the second data structure 600 for display to a user and a list of questions and timestamps ( 660 - 640 ) selected using the third data structure 650 .
- the remaining arrows are similarly explained.
- the elements 660 - 620 , 600 - 601 , and 650 - 640 indicate the questions selected and currently displayed using the data structures 660 , 600 , and 650 , respectively.
- the questions currently displayed by each of the data structures 660 , 600 , and 650 are shown below them.
- FIG. 10 FIG. 10
- the data structure 660 is used to currently display the question at index 6 of the question and answer array: “What is my mother's maiden name?”
- the data structure 600 is used to currently display the question at index 10 of the question and answer array: “What is my favorite color?”
- the data structure 650 is used to currently display the question at index 0 of the question and answer array: “In what year was my sister born?”
- an authorization module contains three similar data structures (A, B, C), each used to randomly generate and thereby randomly select a question presented to a user as part of an authorization process.
- Each of the data structures A, B, and C contains a data element similar to the element 601 in the data structure 600 of FIG. 12 .
- the exemplary data element in the structure A contains the list of questions selected using the structure A.
- the structure A Rather than containing the lists of questions selected using the structures B and C, however, the structure A merely contains pointers to the structures B and C. These pointers are used to access the lists of questions selected using the structures B and C. This embodiment eliminates the need for the exemplary data structure A to keep copies of the questions selected using the data structures B and C.
- FIG. 13 shows a question and answer array 800 ;
- FIGS. 14 A-C show a first array 820 and a second array 840 , each for selecting a question in a combination of questions presented to a user, during different times that a system is authenticating a user.
- the question and answer array 800 has thirty-six rows 801 - 804 , each containing a question and answer pair. In this embodiment, only a single copy of the question and answer array 800 is required.
- each row 801 - 804 is labeled with an index number (e.g., the label “[0]” 801 A) and contains a question (e.g., “What is my mother's maiden name?” 801 B) and a corresponding answer (e.g., “Smith” 801 C), a question and answer pair.
- an index e.g., 801 A
- the corresponding question e.g., 801 B
- the user's response is received and compared with the corresponding answer (e.g., 801 C) stored on the system to determine if the user is authorized to use the system and thus access data on the system.
- the first and second arrays 820 and 840 are used to store indices into the question and answer array 800 .
- the first and second arrays 820 and 840 are able to be used to increase the randomness of questions presented to a user.
- FIG. 14A shows the first and second arrays 820 and 840 when the user attempts logs on to the system a first time
- FIG. 14B when the user attempts to log on a second time
- FIG. 14C when the user attempts to log on a third time.
- FIGS. 14 A-C also show, for illustration only, the indices of the first array 820 in the column 825 and the indices of the second array 840 in the column 845 .
- FIG. 14A shows the first and second arrays 820 and 840 when the user attempts logs on to the system a first time
- FIG. 14B when the user attempts to log on a second time
- FIG. 14C when the user attempts to log on a third time.
- FIGS. 14 A-C also show,
- the entry labeled “[0]” (column 825 ) refers to the first entry in the array (using “0” as the starting index), with the corresponding entry (e.g., “firstarray[0]”) having the value “0” (column 820 ).
- Entries in the array 840 are similarly labeled.
- the first array 820 contains the indexes to the question and answer array 800 .
- the value in each entry of the first array 820 contains the value of its own index.
- the first entry ([ 0 ]) of the first array 820 contains the value “0”
- the thirty-fifth entry ([ 35 ]) contains the value “35.”
- all the entries of the second array 840 are “don't care values,” indicated by an “x.”
- a random number generator In operation, a random number generator generates a first number between 0 and 35, inclusive, indicating the first question to present to a user during the authorization process.
- the random number generator generates the number 2 , indicating that the question at the index 2 of the question and answer array 800 ( 803 B) is displayed to a user during the authorization process, and the user's answer compared with the answer at index 2 of the question and answer array ( 803 C).
- the index 2 is stored at the next available entry (e.g., the entry with the lowest index containing an “x”) of the second array 840 (here, at index 0 ).
- the first array 820 is initially used to store indexes into the question and answer array 800 of questions that have yet to be presented to a user; the second array 840 is initially used to stored indexes into the question and answer array 800 of questions that have already been presented.
- a “current authorization cycle” is used to refer to a sequence of combinations of questions that are presented before exhausting all the stored questions to a user. Thus, if 36 question and answer pairs are stored in the question and answer array 800 , and each combination contains three questions, the current authorization cycle contains 36/3 or 12 combinations of questions. That is, after 12 combinations of questions have been presented to a user, all of the questions stored in the system have been presented. The user now has the option to answer different or additional question and answer pairs into the system.
- the first array 820 is called the “source array” (during this authorization cycle) because it provides indexes to the questions to be presented and the second array is called the “spent array” because the indexes to questions already presented are stored there.
- the index 0 (generated by the random number generator) is selected next so that the element 0 of the of the question and answer array 800 is presented.
- the index 0 is stored at the next available entry of the second array 840 (here, index 1 ).
- the index 35 is selected in the same manner, so that the question at index 35 of the question and answer array 800 is presented.
- the value “35” is stored at the next available entry of the second array 840 (here, index 2 ).
- a user is presented with three questions (the randomly selected combination of questions) as part of the authorization process.
- FIG. 14B shows the first array 820 and the second array 840 at the end of the first authorization process. It will be appreciated that the first array 820 now has 33 elements, with the last element stored at index 33 . Because the entries at indices 34 - 36 are not used during the current authorization cycle, they are shown as “don't care values.” The random number generator must now generate numbers between 0 and 33 instead of 0 and 36. FIG. 14B also shows that the elements in the first array 820 have been “slid down” so that if an entry contains an index corresponding to a question that was already presented in the current authorization cycle, it is replaced by the index of the next-highest numbered entry. This “sliding down,” of course, can occur as soon as a question is presented.
- FIG. 14C shows the first array 840 and the second array 840 after the current authorization cycle is completed.
- the second array 840 is now regarded as the source array and the first array 820 as the spent array, and the process continues.
- the system now asks the user whether he would now like to input different entries into the question and answer array 800 or to add additional entries.
- the “new” source array 840 contains entries that have been randomly stored because they were stored based on the output of a random number generator.
- the system now contains two-levels of randomness.
- the randomness of selecting questions is thus increased each time the use of the arrays 820 and 840 as the source array and the spent array are switched.
- indexes are deleted from the source array, the probability of repeating questions during a single authorization cycle is eliminated.
- FIG. 15 shows the steps 900 of a process for randomly selecting questions using data structures similar to those in FIGS. 13 and 14 A-C.
- an initialization step (not shown) the question and answer array is populated by a user and a source array is initialized.
- an index into the question and answer array 800 is randomly selected, such as described above.
- the question in the question and answer array stored at the index is presented to a user.
- the index is stored in the spent array; in the step 907 , the index is removed from the source array; and in the step 909 , the entries in the source array are slid to replace the entry at the selected index, and the upper limit of the random number generator is updated to account for the fewer indexes that can be selected.
- step 911 it is determined whether the authorization failed; that is, if the user did not supply the correct answer to the selected question. If the authorization failed, the process continues to the step 921 , where the process completes. Otherwise, the process continues to the step 913 , where it determines whether there are more questions to present (e.g., whether all three questions in the authorization process have been presented). If there are more questions to present, the process loops back to the step 901 ; otherwise, the process continues to the step 915 . In the step 915 , the process determines whether the source array is “exhausted”; that is, whether it contains questions that have not been presented during the current authorization cycle.
- the process continues to the step 919 , where the authorization step is determined to succeed, and then continues to the step 921 . If, in the step 915 it is determined that the source array has been exhausted, the process continues to the step 917 , where the system now recognizes the source array as the spent array and the spent array as the source array. From the step 917 , the process continues to the step 919 and then completes in the step 921 .
- a user configures a system to authenticate him.
- the user During an initialization stage, the user generates a series of questions, preferably personal questions, and supplies corresponding answers.
- the user is able to select (1) a sequence for answering the questions, (2) one or more questions that should not be answered, (3) “incorrect” answers that must be supplied, or (4) any combination of these.
- the user is able to configure the interface for presenting the questions and receiving the answers.
- the system is also configured to determine the user's position in an organization and accordingly grant permissions for the user to access data.
- the user is able to later change or supplement the question and answers and other authorization steps.
- the user's permissions may also be configured over time as the user's position within the organization changes.
- the system When the user later logs on to the system, the system challenges her with the questions. The questions are selected randomly, to ensure that questions are not asked frequently enough to compromise the security of the system. The system matches the user's responses to those stored in the system, checking that she also entered her responses in accordance with any additional verification steps. Once the user is verified, the system allows her to access data according to the permissions granted to her. As one example, her permissions allow her to access data owned by a particular department but not data owned by a particular business unit.
Abstract
Description
- This application claims priority under 35 U.S.C. § 119(e) of the co-pending U.S. provisional patent application Ser. No. 60/658,755, filed Mar. 4, 2005, and titled “Key Management System,” which is hereby incorporated by reference.
- This invention relates to computer security. More particularly, this invention relates to systems for and methods of increasing the security of computer systems using combinations of user-supplied information.
- Today, many computer systems rely on a single-phrase password system to grant access to the computer system. Single-phrase password systems are easy to circumvent, such as by interception, by “brute-force” software programs that generate multiple combinations of characters, which are entered into the system, or by programs that snoop around system memory looking for possible passwords. Furthermore, many people write down their passwords, because they are non-intuitive and thus difficult to remember.
- Some prior art systems use one-time password modules. Using these modules, a user inputs a seed into a one-time password generator, which generates a list of multiple passwords of seemingly random characters. The system on which these passwords are to be used will accept each password on the list only once. Thus, even if an eavesdropper were to intercept a password that an authorized user has used or is using to log on to the system, the eavesdropper cannot use the password. Because it has been used by the authorized user, it cannot be used again.
- One-time password modules have the disadvantage of generating strings of random characters that are incomprehensive, non-intuitive, and thus difficult to remember. Users often write the list of passwords down, compromising the security of the system if the list is found and later used by an unauthorized user.
- Other prior art systems use biometric information to grant access to a computer system. These systems use biometric hardware, which may not fit on systems that have a small footprint, and associated software.
- The present invention is used to control access to protected data, data that is protected by encryption, by limiting access to directories in which it stored, or by other means. Generally, the data is owned or controlled by organizational levels in an entity. For example, a corporate level owns and controls confidential data that only those on the corporate level, such as chief operating officers (COOs) and the like, should have access to. Conversely, an engineering level owns and controls data that not only engineers, but also the COO should have access to. Users are granted permission to access data by authenticating themselves and then receiving encryption and decryption keys that allow them to access protected data.
- Embodiments of the invention provide increased security by randomly selecting questions used to challenge anyone attempting to log on to the system. By randomly selecting questions and ensuring that the selected questions are not asked too often, the system ensures that even if an unauthorized user learns of the questions and answers used during one logon session, those answers cannot later be used to gain unauthorized access to the system.
- In one aspect of the present invention, a method of controlling access to a system comprises performing a test that includes comparing input responses to randomly selected questions with corresponding pre-determined responses to the questions and granting access to the system in the event the test is passed. A first condition of passing the test is that each input response matches a corresponding pre-determined response. A pre-determined response is a pre-determined correct answer to its corresponding question. Alternatively, a pre-determined response is a pre-determined incorrect answer to its corresponding question.
- In one embodiment, the method further comprises presenting the questions sequentially. In an alternative embodiment, the method further comprises presenting the questions concurrently. In one embodiment, a second condition of passing the test is entering the input responses into the system in a pre-determined sequence.
- Questions are able to be presented using any number of means including, but not limited to, display screens, voice modules, and the like. Responses are able to be received using any number of means including, but not limited to, keyboards, mice, touch screens, biometric sensors, joy sticks, and voice recognition modules.
- The method further comprises displaying questions and candidate responses in a multiple choice format. A first condition of passing the test is selecting a pre-determined question and providing a corresponding pre-determined response to the question. The test is failed by selecting a question that has no corresponding pre-determined response. In one embodiment, the method further comprises displaying candidate responses that include correct answers to the questions and also incorrect answers to the questions.
- Preferably, granting access to the system comprises decrypting information on the system using a decryption key, encrypting information using an encryption key, or both.
- The method further comprises selecting a question for display based on a time that the question was last displayed. Alternatively, or additionally, the method further comprises selecting a question for display based on a number of times the question was displayed within a pre-determined time period.
- In a second aspect of the present invention, a method of controlling access to a system comprises selecting a combination of questions for presentation to a user; determining a classification of the user on the system; and granting access to an area of the system based on both responses to the combination of questions and the classification. The classification corresponds to a membership of the user in one or more of a corporation, a division, a department, a group, and a project. Preferably, the combination of questions is randomly selected.
- In one embodiment, the area of the system corresponds to any one or more of a disk partition, a file system, a portion of a database, a directory, an electronic folder, an electronic file, and a data object.
- The method further comprises displaying the combination of questions using a user interface protocol. The user interface protocol comprises displaying candidate responses to the questions as multiple choices.
- Preferably, the method further comprises encrypting a response input by the user using an encryption key to generate an encrypted input response and granting access to the system in the event that the encrypted input response matches a corresponding encrypted system response. Granting access to the system comprises decrypting the area of the system using a decryption key corresponding to the encryption key. In a preferred embodiment, encryption and decryption are performed in a system kernel. In addition, granting access to the area comprises determining permissions to the area corresponding to the classification. The classification has a hierarchical structure that corresponds to an organizational structure of an entity.
- In a third aspect of the present invention, a module for controlling access to a system comprises means for randomly selecting a combination of questions and means for granting access to the system in the event user responses to the questions match corresponding system responses to the questions. The module further comprises means for displaying the combination of questions. The means for displaying displays the combination of questions sequentially. Alternatively, the means for displaying displays the combination of questions concurrently. Preferably, the means for selecting a combination of questions comprises a memory for storing information for tracking questions presented to a user.
- In a fourth aspect of the present invention, a module for controlling access to a system comprises means for displaying a randomly selected combination of questions to a user and a grant component for granting access to the system based on a classification of the user and responses of the user to the questions. Granting access to the system comprises granting access to one of an encryption key, a decryption key, or both, for accessing data on the system.
- In a fifth aspect of the present invention, a network of devices comprises one or more user devices and an access control module. The access control module is for granting access to protected data to multiple users using the user devices. Each user from the multiple users is granted access based on his position in an organization and on his responses to a combination of randomly selected questions.
-
FIG. 1 shows hierarchically-arranged levels of an organization, data owned within several of the levels, and users attempting to access the data in accordance with the present invention. -
FIG. 2 shows the steps of a process for authenticating a user and using permissions granted to him for accessing data, all in accordance with the present invention. -
FIG. 3 shows a corporate access control module, an authentication module, and an access parameter module in accordance with the present invention. -
FIG. 4 shows how the authentication module inFIG. 3 is used to generate keys for accessing protected data in accordance with the present invention. -
FIG. 5 shows a Karnaugh map corresponding to permissions for granting access to a user in accordance with the present invention. -
FIG. 6 shows a logic diagram corresponding to the Karnaugh map ofFIG. 5 . -
FIG. 7 shows a graphical user interface (GUI) displaying a combination of questions for challenging a user in accordance with the present invention. -
FIG. 8 shows another GUI displaying a combination of questions for challenging a user in accordance with the present invention. -
FIG. 9 shows a data structure for selecting a random combination of questions to challenge a user in accordance with the present invention. -
FIG. 10 shows another data structure for tracking questions already asked a user in accordance with the present invention. -
FIG. 11 shows steps for tracking questions displayed in accordance with the present invention. -
FIG. 12 shows the data structure ofFIG. 10 and similar data structures, all used to track questions already asked in accordance with the present invention. -
FIG. 13 shows a question and answer array in accordance with one embodiment of the present invention. - FIGS. 14A-C show arrays used to randomly select questions and answers in accordance with one embodiment of the present invention, after authorizing a user at three different times.
-
FIG. 15 shows steps for using the data elements inFIGS. 13 and 14 A-C in accordance with one embodiment of the present invention. - In accordance with the present invention, a system provides access to system data based on (1) a user's ability to answer randomly selected questions, (2) a user's classification within an organization, or (3) both. By presenting randomly selected questions to a user, the system ensures that even an eavesdropper cannot use answers provided to the questions, since those questions are unlikely to be asked (and their corresponding answers expected) the next time the system is accessed. As another or additional security feature, the system checks the classification or position of the user (e.g., corporate director, manager in accounting, or engineer) and grants the user access to only those data for which he has permission. In a preferred embodiment, a user must correctly answer a combination of three randomly selected questions. In alternative embodiments, the user must correctly answer fewer than three or more than three randomly selected questions.
-
FIG. 1 shows an exemplaryhierarchical tree structure 100 illustrating several organizational levels and used to explain embodiments of the present invention. Thehierarchical structure 100 includes acorporate level 101, adivision level 103, and aproject level 105. Thecorporate level 101 contains one corporation 10A, thedivision level 103 contains threedivisions 103A-C, and theproject level 105 contains threeprojects 105A-C. The corporation 101A owns adatabase 130 to which access is controlled (a “protected” database), thedivision 103A owns a protectedelectronic folder 135, and theproject 105A owns a protectedelectronic file 140. Auser 120 is part of thedivision level 103 and auser 122 is part of theproject level 105. - In this example, both of the
users user 120 to thefolder 135, theuser 120 is able to access the protectedfolder 135 because (1) he answered randomly generated questions correctly and (2) his position in the organizational hierarchy permits him to access thefolder 135. Similarly, as shown by the “X” breaking the line connecting theuser 122 to thefolder 135, the position of theuser 122 does not allow him to access thefolder 135. The unbroken line connecting theuser 122 to the protectedfile 140 indicates that theuser 122 is allowed to access the protectedfile 140. This example thus illustrates how embodiments of the invention grant access to system data based on users' positions in an organizational hierarchy. As described in more detail below, the system grants access to data on the system by associating “permissions” for the data with the user. - This example also illustrates another advantage of the present invention. When the
user 120 verifies his identity, he is challenged with the randomly selected combination of questions A, B, and C, to which he provides the correct responses A′, B′, and C′. Even if theuser 122 were to view or otherwise intercept the responses A′, B′ and C′, and tried to log on as theuser 120, he would be challenged with a new randomly selected combination of questions D, E, F, with the corresponding correct responses D′, E′, and F′. The responses A′, B′, and C′, which theuser 122 now has, cannot be used by theuser 122 to log on to the system as theuser 120. Still using this example, embodiments of the system check to make sure that the questions A, B, and C are not asked again, either alone or in the same combination, within a pre-determined time period or within a pre-determined number of iterations. - As discussed in more detail below, in an initialization step, the
user 120 enters the questions A, B, C, D, E, and F and provides the corresponding responses A′, B′, C′, D′, E′, and F′. Theuser 120 generally chooses personal questions to which few within his organization know the answers, questions such as “What is my favorite team?” or “How many nephews do I have?” Theuser 120 is also able to select “incorrect” responses to questions. For example, for the question “How old am I,” theuser 120 is able to select the response “22” even though theuser 120 is much older. In other words, by responding with the “incorrect” answer “22,” theuser 120 is able to verify his identity and thus access the system. - It will be appreciated that the system is able to grant a user access to system data in any number of ways. These include, but are not limited to, (1) granting to the user or user applications a key for decrypting system data (such as when the user wishes to read data that has been encrypted and stored on the system) or another key for encrypting data (such as when the user wishes to write data) and (2) granting the user permission to traverse a directory, to name a few ways. Preferably, when a user is granted a key, its use is “transparent”; that is, the user does not see the key or do anything special to use it. Once he is granted access to data, the operating system or other applications use the encryption and decryption keys without user interference.
-
FIG. 1 shows a rather simple organizational structure used to describe the invention. Embodiments of the present invention are able to be used with more complex organizational structures, tree-like or not, such as one in which a corporation contains multiple divisions, each division contains multiple business units, each business unit contains multiple departments, each department contains multiple groups, each group contains multiple projects, and each project contains multiple individuals. -
FIG. 2 shows the steps of aprocess 150 for determining whether a user is able to access protected data. First, in thestep 151, it is determined whether a user is authenticated, such as by correctly answering a randomly selected combination of questions. If the user answers the questions correctly, the process continues to thestep 153; otherwise, the process continues to thestep 159, where the process ends. In thestep 153, the process determines permissions to grant the user, based in whole or in part on his position in an organization that owns the system. Next, in thestep 155, the process determines whether the user's permissions allow him to access the data. If the user's permissions do allow him to access the data, the process continues to the step 157, where the user accesses the data, from which the process proceeds to thestep 159, where the process ends. If, in thestep 155, the process determines that the user is not allowed to access the data, the process continues to thestep 159, where the process ends. -
FIG. 3 shows modules of asystem 200 in accordance with the present invention. Thesystem 200 comprises a corporateaccess control module 210, anauthentication module 240, and anaccess parameter module 260. The corporateaccess control module 210 includes acorporate vector 222 and acorresponding permissions vector 230. Thecorporate vector 222 has thecomponents 222A-G, and thepermissions vector 230 contains permissions for each component. For example, acorporate level 222A haspermissions 230A (shown with the placeholder “-x-”), adivisional level 222B haspermissions 230B, abusiness unit level 222C haspermissions 230C, adepartment level 222D haspermissions 230D, a management group (“group”)level 222E haspermissions 230E, a project team (“team”)level 222F haspermissions 230F, and auser level 222G has permissions 230G. Theexemplary permissions 230A define the permissions of a user at thecorporate level 222A. As one example, a user at thecorporate level 222A has permissions to access any file anywhere on the system, regardless of what level owns the file. In contrast, thepermissions 230E of a user at thegroup level 222E allows that user to access only data owned by that group. Preferably, thecomponents 230A-G of thepermissions vector 230 are set by a system administrator during system initialization. Alternatively, or additionally, a head of a level (e.g., a department manager) sets permissions for members in the level. - In one embodiment, protected data are encrypted with encryption keys that have corresponding decryption keys; permissions define which keys a user is granted and thus which data a user is able to decrypt and thus access. Thus, for example, a user at the corporate level is granted a corporate encryption key and a corporate decryption key (collectively called a corporate master key); a user at the divisional level is granted a divisional master key; etc. The corporate key decrypts and encrypts all data within the user's organization. Similarly, a divisional master key decrypts and encrypts all data owned by the business unit level, the department unit level, all the way down to the user level. The
permissions vector 230 is thus used to define permissions to all users based on their positions in the organizational hierarchy. - The
access parameter module 260 illustrates the components of a permissions sub-vector (e.g., 230A) of the permissions vector (e.g., 230), containing permissions for both encrypting, such as when a user is writing to a protected area, and decrypting, such as when a user is reading from a protected area. The permissions for decrypting are indicated by the sub-vector 261, which indicates permissions forread 262, execute 263,share 264, and copy 265, shown by the corresponding code “R” 262A (for read), “X” 263A (for execute), “S” 264A (for share), and “C” 265A (for copy), generally referred to as permissions “RXSC.” Similarly, the permissions for encrypting are indicated by the sub-vector 271, which indicates permissions forwrite 272, delete 273, move 274, and modify 275, shown by the corresponding code “W” 272A (for write), “D” 273A (for delete), “Mv” 274A (for move), and “M” 275A (for modify), generally referred to as permissions “WDMvM.” It will be appreciated that other permissions and combinations of permissions are allowable in accordance with the present invention, such as “not copy.” - The
authentication module 240 comprises a question andresponse component 241 that, as shown in the example ofFIG. 2 , presents and receives, respectively, the question “User Question 1” and the corresponding response “User Answer 1”; the question “User Question 2” and the corresponding response “User Answer 2”; and the question “User Question 3” and the corresponding response “User Answer 3.” After authenticating the user based on “User Answer 1,” “User Answer 2,” and “User Answer 3,” the system determines a user name andkey combination 245, which grants the user permission to access system data in accordance with the present invention. - In one embodiment, questions and answers are encrypted and stored on the system. This ensures that the question and answer pairs stored on the system cannot be read and later used by an unauthorized user. Thus, when a user accesses the system, a selected question is decrypted and presented to a user. The user's response is encrypted and compared to the encrypted response stored on the system to determine whether the user entered a correct response.
- Referring to the example of
FIG. 3 , in operation, thepermission vector 230 is generated by a system administrator, with thecorresponding access parameters permission vector 230 is generated when a user is registered on a system. Later, a user uses theauthentication module 240 to verify his identity. After verifying the user's identity, theauthentication module 240 uses theaccess parameters -
FIG. 4 is used to explain in more detail the operation of one embodiment of the present invention.FIG. 4 shows theauthentication module 240 ofFIG. 3 coupled to anaccess module 270. Theaccess module 270 receives the user name and key combination generated by theauthentication module 240, determines an owner, department, and permissions (collectively, 280) from the user name and key combination, which is then used to make system calls 281 in thesystem user space 281 to access protected system data in accordance with the present invention. Preferably, to avoid conflicts, the user name is a unique identifier, such as a user identifier. In some embodiments, the user identifier is encoded and compared to a stored encoded user identifier to authenticate the user. System calls into the user space are further described in U.S. patent application Ser. No. 10/648,630, titled “Encrypting Operating System,” and filed Aug. 25, 2003, which is hereby incorporated by reference. The system calls access, for example, aninode 283 to access a protecteddatabase 285. - Several methods exist for determining when a user is to be granted access to a key for encrypting and decrypting system data. One method uses a Kamaugh Map, used to determine a logic structure, helpful in writing software for implementing embodiments of the present invention.
FIG. 5 shows aKamaugh map 300 havingrows 310 andcolumns 320. TheKamaugh map 300 is easily understood by those skilled in the art and is not discussed in great detail here. Each of therows 310 is labeled with a three-bit identifier. Each bit corresponds to an access to protected data, labeled here as “N,” for “Non Access”; “S,” for “Shared Access”; and “A,” for “Access.” Each of the columns is also labeled with a three-bit identifier. Each bit corresponds to an organizational level, labeled here as “G,” for group; “P,” for project; and “U,” for user. A circled “1” in the intersection of one of therows 310 and one of thecolumns 320 indicates that access to protected data is allowed. The non-circled number in the intersection corresponds to a similarly numbered logic component shown in thecorresponding logic circuit 350, illustrated inFIG. 6 , used, for example, to implement theKarnaugh map 300 in software. Thelogic circuit 350 shows as inputs (1) acorporate vector 353 corresponding to thegroup 042 and the project 04 and (2) thepermissions vector 355 for non-access, shared access, and access. Theoutput 360 of thelogic circuit 350 determines whether a decrypt command, signaling that theuser 001, who belongs to thegroup 042, and the project 04, is granted access to a decryption key. - Those skilled in the art will recognize that
FIG. 5 and the correspondingFIG. 6 correspond to only the lower half of a logic circuit for implementing the present invention, since they are the end point of the chain of command over the access rights. Those skilled in the art will recognize how to construct the upper half of the logic circuit. Those skilled in the art will also recognize that a logic circuit similar to that shown inFIG. 6 is used to generate an encryption command, signaling that the user is allowed, for example, access, shared access, copy, read, or no copy access to an encryption key. -
FIG. 7 shows a graphical user interface (GUI) 400 that forms part of an authentication module, used together with a corporate access module in accordance with the present invention, or independently of the corporate access control module. Using both together increases the security provided by a system of the present invention. TheGUI 400 displays (1) afirst question 403A and anarea 403B (collectively, block 403) to input its corresponding response; (2) asecond question 405A and anarea 405B (collectively, block 405) to input its corresponding response; and (3) athird question 407A and an area 407C (collectively, block 407) to input its corresponding response. When all of the responses have been entered, the user selects the “Go”button 409, and the system attempts to authenticate the user. - Preferably, the
questions - The
GUI 400 is presented to a user according to a user interface protocol. Referring toFIG. 7 , user interface protocols according to the present invention present questions to a user (1) concurrently, (2) sequentially, or (3) in a multiple-choice format, to name a few formats. When a user interface protocol uses a “concurrent display,” all of theblocks block 403 is presented to the user first. If the user enters the correct response, then theblock 405 is then presented to the user. If the user enters the correct response, then theblock 407 is presented to the user. If the user again enters a correct response, then the user is authenticated, allowed access to the system, and granted permission to access protected data based on his position. The next time the user accesses the system, the system displays questions different from 403A, 403B, and 403C. - In one example, when a user interface protocol uses a multiple-choice format, the GUI 500 shown in
FIG. 8 is displayed. The GUI 500 displays a question area comprising ablock 501 that contains aquestion 501A and aninput area 501B for entering a letter corresponding to an answer to thequestion 501A; ablock 503 that contains aquestion 503A and aninput area 503B for entering a letter corresponding to an answer to thequestion 503A; ablock 505 that contains aquestion 505A and aninput area 505B for entering a letter corresponding to an answer to thequestion 505A; ablock 507 that contains aquestion 507A and aninput area 507B for entering a letter corresponding to an answer to thequestion 507A; and a “Go”button 520 for launching the authorization process. The GUI 500 also displays a candidate answer area containing multiple letter and answer pairs: theentry 510 with the letter “A” indicating the answer “Blue,” theentry 511 with the letter “B” indicating the answer “Yellow,” the entry 512 with the letter “C” indicating the answer “Purple,” theentry 513 with the letter “D” indicating the answer “Pink,” theentry 514 with the letter “E” indicating the answer “Green,” and theentry 515 with the letter “F” indicating the answer “Gold.” The letters A-F are input into theinput areas - In one embodiment, the system requires that a user answer questions in a pre-determined order. As one example, the system is configured to authorize the user only if he answers the
question 505A first, thequestion 501A next, thequestion 507A next, and thequestion 503A last. This is accomplished in one embodiment using event handlers, to make sure that the events corresponding to entering data in theareas - Those embodiments that use a multiple-choice format are able to include other security features. Referring to
FIG. 8 , for example, the authentication module requires that the user select only a subset of thequestions - While the GUI 500 shows more questions than answers, it will be appreciated that GUIs in accordance with other embodiments of the present invention have the same number of questions and answers or more questions than answers, such as when only a subset of questions must be answered to authenticate a user.
- It will also be appreciated that the system is able to be modified in many ways. For example, in one embodiment, a user learns that he has not been authorized as soon as he answers a question incorrectly. In other embodiments, the user learns that he has not been authorized only after he has attempted to answer all of the questions posed to him. In this way, the user does not learn which question he answered incorrectly, information he could use later when guessing at answers to the questions.
-
FIGS. 9-15 are used to explain how questions are randomly selected according to embodiment of the invention and how the system ensures that questions are not repeated too often.FIG. 9 shows anexemplary data structure 550 used to select one question in a combination of questions presented to a user. It will be appreciated thatmultiple data structures 550 are used to ask the combination of questions to a user. Thus, for example, when a combination of three questions are asked a user, the system requires three of theexemplary data structures 550. - The
data structure 550 includes afirst element 551, asecond element 555, and athird element 557. In one embodiment, theelement 557 stores a list of question and answer pairs in a “question and answer” array. The elements of the question and answer array are addressable and selected by indices, which, as described below, are randomly generated. In one embodiment, the indices are generated (and the question and answer pairs thus selected) using a pseudo-random number generator, generally referred to as a “PRNG,” often supplied as a program library function. Theelement 551 stores a seed for the PRNG. Theelement 555 preferably stores an index or other identifier to the question last selected using thedata structure 550. - Those skilled in the art will recognize other ways to generate a random number in accordance with the present invention. As one example, a system time function is called. On some systems, the system time function returns the number of seconds that have elapsed since a pre-determined date (Unix, for example, uses Jan. 1, 1970). The value returned by the function can be used as a random number that is modified such as by (1) truncation, (2) as the first operand to the modulus operator with the array size as the second operand, and (3) taking a subset (e.g., the fist three digits) of the value and again using the modulus operator with the array size as an operand. As another example, the system spawns a process, thereby generating a process identifier and modifies the process identifier in the same way as the value returned by the system time function. The spawned process is then killed to conserve system resources. In the discussions above and below, any sequence of numbers generated with good distributions, minimum repetition, and lack of predictability, whether generated using a pseudo-random number generator or not, is referred to as randomly generated numbers.
- In operation, to generate a first question, the seed is supplied to the PRNG, thereby generating a first random number. The random number is then modified (such as by truncation or by using the modulus operator) to determine an index into the question and answer array. The question stored in the question and answer array at the index is then presented to the user.
- In other embodiments, the first random number or an integer derived from it is used as an input to the PRNG, thereby generating a second random number. The second random number or an integer derived from it is used as an input to the PRNG, thereby generating a third random number. The third random number is then converted to an index into an array of question and answer pairs to select a question to challenge a user. The index can be determined, for example, by multiplying the number by a scale factor, truncating the remainder, and then using the modulus operator with the operand the total number of elements (e.g., questions) in the array.
- These later embodiments improve randomness. As one example, a first random number is generated within the range of 1 to 3. This first generated random number is then input to a function (f) which receives inputs and generates a random number within a range of 1 to 18. The output of the function (f) is then input to a function (g), which receives inputs and generates a random number within a range of 1 to 36. The output of the function (g), is dependent on randomly generated number and is said to function as g(f(x)), where x is a number in a range of 1 to 3. The output of g(f(x)) is used to generate an index into the question and answer array to randomly select questions for display to a user.
- Conceptually, the random number generator based on the functions g and f are thought of as a three-wheel combination wheel, with the inner wheel corresponding to x, the middle wheel corresponding to the function f, and the outer wheel corresponding to the function g. It will be appreciated that the measure of randomness increases with the ranges of x, the function f, and the function g.
-
FIG. 10 shows anarea 600 for use in a data structure used to track what questions and combinations of questions have already been asked and when they were asked. Because questions are always asked as part of a combination of questions, thearea 600 is used to track all of the questions from the combination of questions. This is described more clearly inFIG. 12 . In this embodiment, the system is set up to challenge the user with three questions from a pool of thirty-six questions. Thus, three data structures (e.g., 550) are used, one each to pose a question in the combination of questions. - The
area 600 comprises acurrent question area 601, aprevious question area 620, and alater question area 640. Each of theareas exemplary area 601 contains rows 605-607. Therow 605 contains afirst entry 605A and a correspondingsecond entry 605B. Thefirst entry 605A contains the value “10,” which indicates that the current question to pose is stored in the question array atindex 10. Thesecond entry 605B contains the value “0001,” which indicates that the question atindex 10 was asked “0001” time units (e.g., seconds) ago. Similarly, therow 606 contains afirst entry 606A and a correspondingsecond entry 606B. The value “8” in thefirst entry 606A and the value “0004” in the corresponding second entry indicate that the question atindex 8 in the question array was asked “0004” time units ago. - The
previous question area 620 and thesubsequent question area 640 both contain corresponding index and time pairs indicating questions and times they were asked, selected for another question in the combination of questions. Preferably, the question and answer pairs are selected from the same question array so that theindices -
FIG. 11 shows thesteps 700 of a process for using thedata structure 600 in accordance with one embodiment of the present invention. Referring toFIGS. 10 and 11 , in thestep 701, an index is randomly generated, thereby selecting a question stored in a question and answer array at the index. Next, in thestep 703, the process determines whether the question was asked before, as shown by its entry in thedata structure 600. This determination is made by checking whether the index is stored in any of theentries step 707, where the question is displayed. Otherwise, the process continues to thestep 705, where the process determines whether the question was asked sufficiently long ago. For example, if the question was asked a year ago, the system assumes that an unauthorized user either has not seen the question before or cannot remember the answer, and thus allows the question to be asked. This determination is made by checking the corresponding timestamp for the entry containing the index, stored in one of theentries - In the
step 707, the question (among the combination of questions asked) is displayed to the user. Next, in thestep 709, the index to the question and its current timestamp is stored in thearea 601 and also in theareas data structures data structures data structures rows - Next, in the
step 711, the answer input by the user is read and, in thestep 713, compared with the correct answer stored in the system. If the answer is correct, the process proceeds to thestep 715, where it is determined whether any more questions are to be asked. If more questions are to be asked, the process loops back to thestep 701; otherwise, the process continues to thestep 717, where the process ends. Similarly, if in thestep 713, the process determines that the answer is incorrect, then the process also continues to thestep 717, where the process ends. -
FIG. 12 shows thedata structure 600 ofFIG. 10 , used to select one question to ask as a combination of questions asked during the authorization step.FIG. 12 also shows adata structure 660 for asking a second question and adata structure 650 for asking a third question, both also part of the combination of questions. Similarly labeled components refer to the same or identical copies of the same component. It will be appreciated that a combination of questions can include more than three questions, and if it does, a corresponding number of data structures similar to thedata structure 600 are used. - The arrows shown in
FIG. 12 connect adata structure element 620 in the data structure 600 (referred to as the element 600-620) pointing to thedata structure 660 indicates that the element 600-620 contains the questions and corresponding timestamps selected using thedata structure 660. Other elements inFIG. 12 are similarly labeled AAA-BBB, where AAA refers to a data structure and BBB is the element within the data structure AAA. In one embodiment, the questions selected using thedata structure 660 are the first questions in the combination of questions posed to a user.FIG. 12 thus shows that thedata structure 660 contains a list of questions and timestamps (660-601) selected using thesecond data structure 600 for display to a user and a list of questions and timestamps (660-640) selected using thethird data structure 650. The remaining arrows are similarly explained. - The elements 660-620, 600-601, and 650-640, without arrows, indicate the questions selected and currently displayed using the
data structures data structures FIG. 10 ,FIG. 12 illustrates that thedata structure 660 is used to currently display the question atindex 6 of the question and answer array: “What is my mother's maiden name?” Thedata structure 600 is used to currently display the question atindex 10 of the question and answer array: “What is my favorite color?” And thedata structure 650 is used to currently display the question atindex 0 of the question and answer array: “In what year was my sister born?” - Those skilled in the art will recognize other data structures that are able to be used in accordance with the present invention, such as objects generated using an object-oriented programming language. As one example, an authorization module contains three similar data structures (A, B, C), each used to randomly generate and thereby randomly select a question presented to a user as part of an authorization process. Each of the data structures A, B, and C contains a data element similar to the
element 601 in thedata structure 600 ofFIG. 12 . The exemplary data element in the structure A contains the list of questions selected using the structure A. Rather than containing the lists of questions selected using the structures B and C, however, the structure A merely contains pointers to the structures B and C. These pointers are used to access the lists of questions selected using the structures B and C. This embodiment eliminates the need for the exemplary data structure A to keep copies of the questions selected using the data structures B and C. - It will be appreciated that many other data structures are able to be used in accordance with the present invention.
FIG. 13 shows a question andanswer array 800; FIGS. 14A-C show afirst array 820 and asecond array 840, each for selecting a question in a combination of questions presented to a user, during different times that a system is authenticating a user. The question andanswer array 800 has thirty-six rows 801-804, each containing a question and answer pair. In this embodiment, only a single copy of the question andanswer array 800 is required. - Referring to the exemplary row 801, each row 801-804 is labeled with an index number (e.g., the label “[0]” 801 A) and contains a question (e.g., “What is my mother's maiden name?” 801B) and a corresponding answer (e.g., “Smith” 801C), a question and answer pair. Those skilled in the art will recognize the format of an array. Question and answer pairs in the question and
answer array 800 are selected by a user during an initialization process. When selecting a question to present during an authentication process of the present invention, an index (e.g., 801A) is randomly selected and the corresponding question (e.g., 801B) is presented to a user. The user's response is received and compared with the corresponding answer (e.g., 801C) stored on the system to determine if the user is authorized to use the system and thus access data on the system. - The first and
second arrays answer array 800. In this embodiment, as explained below, the first andsecond arrays FIG. 14A shows the first andsecond arrays FIG. 14B , when the user attempts to log on a second time, andFIG. 14C , when the user attempts to log on a third time. FIGS. 14A-C also show, for illustration only, the indices of thefirst array 820 in thecolumn 825 and the indices of thesecond array 840 in thecolumn 845. Thus, for example, referring toFIG. 14A , the entry labeled “[0]” (column 825) refers to the first entry in the array (using “0” as the starting index), with the corresponding entry (e.g., “firstarray[0]”) having the value “0” (column 820). Entries in thearray 840 are similarly labeled. - On initialization, the
first array 820 contains the indexes to the question andanswer array 800. In this example, the value in each entry of thefirst array 820 contains the value of its own index. Thus, the first entry ([0]) of thefirst array 820 contains the value “0” and the thirty-fifth entry ([35]) contains the value “35.” Initially, all the entries of thesecond array 840 are “don't care values,” indicated by an “x.” - In operation, a random number generator generates a first number between 0 and 35, inclusive, indicating the first question to present to a user during the authorization process. In this example, the random number generator generates the
number 2, indicating that the question at theindex 2 of the question and answer array 800 (803B) is displayed to a user during the authorization process, and the user's answer compared with the answer atindex 2 of the question and answer array (803C). Theindex 2 is stored at the next available entry (e.g., the entry with the lowest index containing an “x”) of the second array 840 (here, at index 0). - As described in more detail below, the
first array 820 is initially used to store indexes into the question andanswer array 800 of questions that have yet to be presented to a user; thesecond array 840 is initially used to stored indexes into the question andanswer array 800 of questions that have already been presented. A “current authorization cycle” is used to refer to a sequence of combinations of questions that are presented before exhausting all the stored questions to a user. Thus, if 36 question and answer pairs are stored in the question andanswer array 800, and each combination contains three questions, the current authorization cycle contains 36/3 or 12 combinations of questions. That is, after 12 combinations of questions have been presented to a user, all of the questions stored in the system have been presented. The user now has the option to answer different or additional question and answer pairs into the system. Thefirst array 820 is called the “source array” (during this authorization cycle) because it provides indexes to the questions to be presented and the second array is called the “spent array” because the indexes to questions already presented are stored there. - Continuing with this example, the index 0 (generated by the random number generator) is selected next so that the
element 0 of the of the question andanswer array 800 is presented. Theindex 0 is stored at the next available entry of the second array 840 (here, index 1). Finally, theindex 35 is selected in the same manner, so that the question atindex 35 of the question andanswer array 800 is presented. The value “35” is stored at the next available entry of the second array 840 (here, index 2). In this example, a user is presented with three questions (the randomly selected combination of questions) as part of the authorization process. -
FIG. 14B shows thefirst array 820 and thesecond array 840 at the end of the first authorization process. It will be appreciated that thefirst array 820 now has 33 elements, with the last element stored atindex 33. Because the entries at indices 34-36 are not used during the current authorization cycle, they are shown as “don't care values.” The random number generator must now generate numbers between 0 and 33 instead of 0 and 36.FIG. 14B also shows that the elements in thefirst array 820 have been “slid down” so that if an entry contains an index corresponding to a question that was already presented in the current authorization cycle, it is replaced by the index of the next-highest numbered entry. This “sliding down,” of course, can occur as soon as a question is presented. -
FIG. 14C shows thefirst array 840 and thesecond array 840 after the current authorization cycle is completed. Here, after 12 three-question combinations (36 questions) have been presented and 12 answers received. Thesecond array 840 is now regarded as the source array and thefirst array 820 as the spent array, and the process continues. In some embodiments, the system now asks the user whether he would now like to input different entries into the question andanswer array 800 or to add additional entries. It will be appreciated that the “new”source array 840 contains entries that have been randomly stored because they were stored based on the output of a random number generator. Thus, when a random number generator is used to select the indices (e.g., to select the questions in the question and answer array 800) from thenew source array 840, the system now contains two-levels of randomness. The randomness of selecting questions is thus increased each time the use of thearrays -
FIG. 15 shows thesteps 900 of a process for randomly selecting questions using data structures similar to those inFIGS. 13 and 14 A-C. First, in an initialization step (not shown), the question and answer array is populated by a user and a source array is initialized. In thestep 901, an index into the question andanswer array 800 is randomly selected, such as described above. Next, in thestep 903, the question in the question and answer array stored at the index is presented to a user. In thestep 905, the index is stored in the spent array; in thestep 907, the index is removed from the source array; and in thestep 909, the entries in the source array are slid to replace the entry at the selected index, and the upper limit of the random number generator is updated to account for the fewer indexes that can be selected. - Next, in the
step 911, it is determined whether the authorization failed; that is, if the user did not supply the correct answer to the selected question. If the authorization failed, the process continues to thestep 921, where the process completes. Otherwise, the process continues to thestep 913, where it determines whether there are more questions to present (e.g., whether all three questions in the authorization process have been presented). If there are more questions to present, the process loops back to thestep 901; otherwise, the process continues to thestep 915. In thestep 915, the process determines whether the source array is “exhausted”; that is, whether it contains questions that have not been presented during the current authorization cycle. If the source array is not exhausted, the process continues to thestep 919, where the authorization step is determined to succeed, and then continues to thestep 921. If, in thestep 915 it is determined that the source array has been exhausted, the process continues to thestep 917, where the system now recognizes the source array as the spent array and the spent array as the source array. From thestep 917, the process continues to thestep 919 and then completes in thestep 921. - In operation, a user configures a system to authenticate him. During an initialization stage, the user generates a series of questions, preferably personal questions, and supplies corresponding answers. As additional authorization steps, the user is able to select (1) a sequence for answering the questions, (2) one or more questions that should not be answered, (3) “incorrect” answers that must be supplied, or (4) any combination of these. During the initialization step, the user is able to configure the interface for presenting the questions and receiving the answers. The system is also configured to determine the user's position in an organization and accordingly grant permissions for the user to access data. The user is able to later change or supplement the question and answers and other authorization steps. The user's permissions may also be configured over time as the user's position within the organization changes.
- When the user later logs on to the system, the system challenges her with the questions. The questions are selected randomly, to ensure that questions are not asked frequently enough to compromise the security of the system. The system matches the user's responses to those stored in the system, checking that she also entered her responses in accordance with any additional verification steps. Once the user is verified, the system allows her to access data according to the permissions granted to her. As one example, her permissions allow her to access data owned by a particular department but not data owned by a particular business unit.
- It will be readily apparent to one skilled in the art that other various modifications may be made to the embodiments without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (35)
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/367,085 US8219823B2 (en) | 2005-03-04 | 2006-03-03 | System for and method of managing access to a system using combinations of user information |
PCT/US2006/007947 WO2006096651A2 (en) | 2005-03-04 | 2006-03-06 | System for and method of managing access to a system using combinations of user information |
US13/523,441 US9449186B2 (en) | 2005-03-04 | 2012-06-14 | System for and method of managing access to a system using combinations of user information |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US65875505P | 2005-03-04 | 2005-03-04 | |
US11/367,085 US8219823B2 (en) | 2005-03-04 | 2006-03-03 | System for and method of managing access to a system using combinations of user information |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/523,441 Continuation US9449186B2 (en) | 2005-03-04 | 2012-06-14 | System for and method of managing access to a system using combinations of user information |
Publications (2)
Publication Number | Publication Date |
---|---|
US20070107051A1 true US20070107051A1 (en) | 2007-05-10 |
US8219823B2 US8219823B2 (en) | 2012-07-10 |
Family
ID=36953939
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/367,085 Expired - Fee Related US8219823B2 (en) | 2005-03-04 | 2006-03-03 | System for and method of managing access to a system using combinations of user information |
US13/523,441 Expired - Fee Related US9449186B2 (en) | 2005-03-04 | 2012-06-14 | System for and method of managing access to a system using combinations of user information |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/523,441 Expired - Fee Related US9449186B2 (en) | 2005-03-04 | 2012-06-14 | System for and method of managing access to a system using combinations of user information |
Country Status (2)
Country | Link |
---|---|
US (2) | US8219823B2 (en) |
WO (1) | WO2006096651A2 (en) |
Cited By (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080066167A1 (en) * | 2006-09-12 | 2008-03-13 | Andri Michael J | Password based access including error allowance |
US20080220872A1 (en) * | 2007-03-08 | 2008-09-11 | Timothy Michael Midgley | Method and apparatus for issuing a challenge prompt in a gaming environment |
US20090119475A1 (en) * | 2007-11-01 | 2009-05-07 | Microsoft Corporation | Time based priority modulus for security challenges |
US20090282258A1 (en) * | 2006-09-12 | 2009-11-12 | Microlatch Pty Ltd. | Password generator |
US20100122341A1 (en) * | 2008-11-13 | 2010-05-13 | Palo Alto Research Center Incorporated | Authenticating users with memorable personal questions |
WO2012092517A2 (en) * | 2010-12-30 | 2012-07-05 | Transunion Llc | Identity verification systems and methods |
US20130138954A1 (en) * | 2011-11-29 | 2013-05-30 | Dell Products L.P. | Mode sensitive encryption |
US20130263230A1 (en) * | 2012-03-30 | 2013-10-03 | Anchorfree Inc. | Method and system for statistical access control with data aggregation |
US8886930B1 (en) * | 2008-01-22 | 2014-11-11 | F5 Networks, Inc. | DNS flood protection platform for a network |
JP2015119226A (en) * | 2013-12-16 | 2015-06-25 | Kddi株式会社 | User authentication device, system, method, and program |
US20160049084A1 (en) * | 2014-08-15 | 2016-02-18 | EdLogics, LLC | Health information processing network |
US10331867B2 (en) * | 2016-10-05 | 2019-06-25 | Plantronics, Inc. | Enhanced biometric user authentication |
US10623400B2 (en) * | 2013-10-14 | 2020-04-14 | Greg Hauw | Method and device for credential and data protection |
US10846385B1 (en) | 2019-10-11 | 2020-11-24 | Capital One Services, Llc | Systems and methods for user-authentication despite error-containing password |
US10967278B1 (en) * | 2019-10-02 | 2021-04-06 | Kieran Goodwin | System and method of leveraging anonymity of computing devices to facilitate truthfulness |
US11055397B2 (en) * | 2018-10-05 | 2021-07-06 | Capital One Services, Llc | Methods, mediums, and systems for establishing and using security questions |
US11093623B2 (en) * | 2011-12-09 | 2021-08-17 | Sertainty Corporation | System and methods for using cipher objects to protect data |
US20220157475A1 (en) * | 2018-06-06 | 2022-05-19 | Reliant Immune Diagnostics, Inc. | Code trigger telemedicine session |
Families Citing this family (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE102008019103A1 (en) * | 2008-04-16 | 2009-10-22 | Siemens Aktiengesellschaft | Method and device for transcoding in an encryption-based access control to a database |
US8489399B2 (en) * | 2008-06-23 | 2013-07-16 | John Nicholas and Kristin Gross Trust | System and method for verifying origin of input through spoken language analysis |
US20100235361A1 (en) * | 2009-03-12 | 2010-09-16 | International Business Machines Corporation | Optimizing Questionnaires |
US9547656B2 (en) * | 2012-08-09 | 2017-01-17 | Oracle International Corporation | Method and system for implementing a multilevel file system in a virtualized environment |
US8955058B2 (en) | 2012-11-15 | 2015-02-10 | International Business Machines Corporation | Automatically generating challenge questions inferred from user history data for user authentication |
US9720923B2 (en) * | 2014-12-31 | 2017-08-01 | Bank Of America Corporation | System for providing user privilege information associated with secured data |
EP3472796B1 (en) | 2016-06-17 | 2023-10-18 | Predictive Safety SRP, Inc. | Geo-fencing system and method |
SG11201811484QA (en) * | 2016-06-23 | 2019-01-30 | Pluralsight Llc | Extrapolating probabilistic predictions for skills using unanswered questions and determining corresponding instructional content |
US10171438B2 (en) | 2017-04-04 | 2019-01-01 | International Business Machines Corporation | Generating a password |
US10929556B1 (en) | 2018-04-25 | 2021-02-23 | Bank Of America Corporation | Discrete data masking security system |
US10824751B1 (en) * | 2018-04-25 | 2020-11-03 | Bank Of America Corporation | Zoned data storage and control security system |
US11464397B2 (en) | 2018-09-27 | 2022-10-11 | University Of Utah Research Foundation | Soft robot to navigate the natural lumens of a living organism using undulatory locomotion generated by a rotating magnetic dipole field |
GB201917084D0 (en) * | 2019-11-22 | 2020-01-08 | Platinum Training Services Ltd | A checking system |
Citations (65)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4914653A (en) * | 1986-12-22 | 1990-04-03 | American Telephone And Telegraph Company | Inter-processor communication protocol |
US5029206A (en) * | 1989-12-27 | 1991-07-02 | Motorola, Inc. | Uniform interface for cryptographic services |
US5093913A (en) * | 1986-12-22 | 1992-03-03 | At&T Laboratories | Multiprocessor memory management system with the flexible features of a tightly-coupled system in a non-shared memory system |
US5179702A (en) * | 1989-12-29 | 1993-01-12 | Supercomputer Systems Limited Partnership | System and method for controlling a highly parallel multiprocessor using an anarchy based scheduler for parallel execution thread scheduling |
US5253342A (en) * | 1989-01-18 | 1993-10-12 | International Business Machines Corporation | Intermachine communication services |
US5454039A (en) * | 1993-12-06 | 1995-09-26 | International Business Machines Corporation | Software-efficient pseudorandom function and the use thereof for encryption |
US5513328A (en) * | 1992-10-05 | 1996-04-30 | Christofferson; James F. | Apparatus for inter-process/device communication for multiple systems of asynchronous devices |
US5584023A (en) * | 1993-12-27 | 1996-12-10 | Hsu; Mike S. C. | Computer system including a transparent and secure file transform mechanism |
US5721777A (en) * | 1994-12-29 | 1998-02-24 | Lucent Technologies Inc. | Escrow key management system for accessing encrypted data with portable cryptographic modules |
US5727206A (en) * | 1996-07-31 | 1998-03-10 | Ncr Corporation | On-line file system correction within a clustered processing system |
US5729710A (en) * | 1994-06-22 | 1998-03-17 | International Business Machines Corporation | Method and apparatus for management of mapped and unmapped regions of memory in a microkernel data processing system |
US5765153A (en) * | 1996-01-03 | 1998-06-09 | International Business Machines Corporation | Information handling system, method, and article of manufacture including object system authorization and registration |
US5774525A (en) * | 1995-01-23 | 1998-06-30 | International Business Machines Corporation | Method and apparatus utilizing dynamic questioning to provide secure access control |
US5787169A (en) * | 1995-12-28 | 1998-07-28 | International Business Machines Corp. | Method and apparatus for controlling access to encrypted data files in a computer system |
US5841976A (en) * | 1996-03-29 | 1998-11-24 | Intel Corporation | Method and apparatus for supporting multipoint communications in a protocol-independent manner |
US5903881A (en) * | 1997-06-05 | 1999-05-11 | Intuit, Inc. | Personal online banking with integrated online statement and checkbook user interface |
US5991399A (en) * | 1997-12-18 | 1999-11-23 | Intel Corporation | Method for securely distributing a conditional use private key to a trusted entity on a remote system |
US5991414A (en) * | 1997-09-12 | 1999-11-23 | International Business Machines Corporation | Method and apparatus for the secure distributed storage and retrieval of information |
US6023506A (en) * | 1995-10-26 | 2000-02-08 | Hitachi, Ltd. | Data encryption control apparatus and method |
US6065037A (en) * | 1989-09-08 | 2000-05-16 | Auspex Systems, Inc. | Multiple software-facility component operating system for co-operative processor control within a multiprocessor computer system |
US6075938A (en) * | 1997-06-10 | 2000-06-13 | The Board Of Trustees Of The Leland Stanford Junior University | Virtual machine monitors for scalable multiprocessors |
US6185681B1 (en) * | 1998-05-07 | 2001-02-06 | Stephen Zizzi | Method of transparent encryption and decryption for an electronic document management system |
US6205417B1 (en) * | 1996-04-01 | 2001-03-20 | Openconnect Systems Incorporated | Server and terminal emulator for persistent connection to a legacy host system with direct As/400 host interface |
US6249866B1 (en) * | 1997-09-16 | 2001-06-19 | Microsoft Corporation | Encrypting file system and method |
US6351813B1 (en) * | 1996-02-09 | 2002-02-26 | Digital Privacy, Inc. | Access control/crypto system |
US20020065876A1 (en) * | 2000-11-29 | 2002-05-30 | Andrew Chien | Method and process for the virtualization of system databases and stored information |
US20020091863A1 (en) * | 1997-11-17 | 2002-07-11 | Schug Klaus H. | Interoperable network communication architecture |
US20020129085A1 (en) * | 2001-03-08 | 2002-09-12 | International Business Machines Corporation | Inter-partition message passing method, system and program product for managing workload in a partitioned processing environment |
US6477545B1 (en) * | 1998-10-28 | 2002-11-05 | Starfish Software, Inc. | System and methods for robust synchronization of datasets |
US20020194496A1 (en) * | 2001-06-19 | 2002-12-19 | Jonathan Griffin | Multiple trusted computing environments |
US20030005300A1 (en) * | 2001-04-12 | 2003-01-02 | Noble Brian D. | Method and system to maintain portable computer data secure and authentication token for use therein |
US6594698B1 (en) * | 1998-09-25 | 2003-07-15 | Ncr Corporation | Protocol for dynamic binding of shared resources |
US20030140179A1 (en) * | 2002-01-04 | 2003-07-24 | Microsoft Corporation | Methods and system for managing computational resources of a coprocessor in a computing system |
US20030187784A1 (en) * | 2002-03-27 | 2003-10-02 | Michael Maritzen | System and method for mid-stream purchase of products and services |
US20030236745A1 (en) * | 2000-03-03 | 2003-12-25 | Hartsell Neal D | Systems and methods for billing in information management environments |
US6681305B1 (en) * | 2000-05-30 | 2004-01-20 | International Business Machines Corporation | Method for operating system support for memory compression |
US20040093455A1 (en) * | 2000-08-31 | 2004-05-13 | Duncan Samuel H. | System and method for providing forward progress and avoiding starvation and livelock in a multiprocessor computer system |
US6754820B1 (en) * | 2001-01-30 | 2004-06-22 | Tecsec, Inc. | Multiple level access system |
US20040123162A1 (en) * | 2002-12-11 | 2004-06-24 | Lightbridge, Inc. | Methods and systems for authentication |
US20040215837A1 (en) * | 2003-04-24 | 2004-10-28 | International Business Machines Corporation | Grouping resource allocation commands in a logically-partitioned system |
US6836888B1 (en) * | 2000-03-17 | 2004-12-28 | Lucent Technologies Inc. | System for reverse sandboxing |
US20050039057A1 (en) * | 2003-07-24 | 2005-02-17 | Amit Bagga | Method and apparatus for authenticating a user using query directed passwords |
US20050060710A1 (en) * | 1999-04-05 | 2005-03-17 | International Business Machines Corporation | System, method and program for implementing priority inheritance in an operating system |
US6886081B2 (en) * | 2002-09-17 | 2005-04-26 | Sun Microsystems, Inc. | Method and tool for determining ownership of a multiple owner lock in multithreading environments |
US20050120160A1 (en) * | 2003-08-20 | 2005-06-02 | Jerry Plouffe | System and method for managing virtual servers |
US6938166B1 (en) * | 1997-03-21 | 2005-08-30 | Thomson Licensing S.A. | Method of downloading of data to an MPEG receiver/decoder and MPEG transmission system for implementing the same |
US20050191609A1 (en) * | 2004-02-14 | 2005-09-01 | Adaptigroup Llc | Method and system for improving performance on standardized examinations |
US6957330B1 (en) * | 1999-03-01 | 2005-10-18 | Storage Technology Corporation | Method and system for secure information handling |
US20060010489A1 (en) * | 2004-07-06 | 2006-01-12 | Nastou Panayiotis E | Method and system for enhancing security in wireless stations of a local area network (LAN) |
US20060095779A9 (en) * | 2001-08-06 | 2006-05-04 | Shivaram Bhat | Uniform resource locator access management and control system and method |
US7047337B2 (en) * | 2003-04-24 | 2006-05-16 | International Business Machines Corporation | Concurrent access of shared resources utilizing tracking of request reception and completion order |
US7051209B1 (en) * | 2000-06-29 | 2006-05-23 | Intel Corporation | System and method for creation and use of strong passwords |
US20060143350A1 (en) * | 2003-12-30 | 2006-06-29 | 3Tera, Inc. | Apparatus, method and system for aggregrating computing resources |
US20060168381A1 (en) * | 2003-03-13 | 2006-07-27 | International Business Machines Corporation | Apparatus and method for controlling resource transfers in a logically partitioned computer system |
US7185192B1 (en) * | 2000-07-07 | 2007-02-27 | Emc Corporation | Methods and apparatus for controlling access to a resource |
US20070113229A1 (en) * | 2005-11-16 | 2007-05-17 | Alcatel | Thread aware distributed software system for a multi-processor |
US7231657B2 (en) * | 2002-02-14 | 2007-06-12 | American Management Systems, Inc. | User authentication system and methods thereof |
US7243370B2 (en) * | 2001-06-14 | 2007-07-10 | Microsoft Corporation | Method and system for integrating security mechanisms into session initiation protocol request messages for client-proxy authentication |
US20070288941A1 (en) * | 2006-06-07 | 2007-12-13 | Andrew Dunshea | Sharing kernel services among kernels |
US7313694B2 (en) * | 2001-10-05 | 2007-12-25 | Hewlett-Packard Development Company, L.P. | Secure file access control via directory encryption |
US7353535B2 (en) * | 2003-03-31 | 2008-04-01 | Microsoft Corporation | Flexible, selectable, and fine-grained network trust policies |
US7389415B1 (en) * | 2000-12-27 | 2008-06-17 | Cisco Technology, Inc. | Enabling cryptographic features in a cryptographic device using MAC addresses |
US20080189715A1 (en) * | 2006-03-14 | 2008-08-07 | International Business Machines Corporation | Controlling resource transfers in a logically partitioned computer system |
US7805726B1 (en) * | 2003-05-09 | 2010-09-28 | Oracle America, Inc. | Multi-level resource limits for operating system partitions |
US7814023B1 (en) * | 2005-09-08 | 2010-10-12 | Avaya Inc. | Secure download manager |
Family Cites Families (35)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH02214887A (en) | 1989-02-16 | 1990-08-27 | Mitsubishi Electric Corp | File protecting method |
JPH0451426A (en) | 1990-06-20 | 1992-02-19 | Hitachi Ltd | Inspection device for hanger mounting circuit |
JPH0460843A (en) | 1990-06-29 | 1992-02-26 | Hitachi Ltd | Task scheduling system for multiprocessor system |
US5220604A (en) * | 1990-09-28 | 1993-06-15 | Digital Equipment Corporation | Method for performing group exclusion in hierarchical group structures |
JP2757648B2 (en) | 1992-01-29 | 1998-05-25 | 日本電気株式会社 | Online transaction data processing system |
US5491808A (en) | 1992-09-30 | 1996-02-13 | Conner Peripherals, Inc. | Method for tracking memory allocation in network file server |
US6105053A (en) | 1995-06-23 | 2000-08-15 | Emc Corporation | Operating system for a non-uniform memory access multiprocessor system |
US5666486A (en) | 1995-06-23 | 1997-09-09 | Data General Corporation | Multiprocessor cluster membership manager framework |
JPH09251426A (en) | 1996-01-10 | 1997-09-22 | Hitachi Ltd | File ciphering system and its control method, and cipher file reception system and its control method |
JPH1027109A (en) | 1996-07-10 | 1998-01-27 | Nippon Telegr & Teleph Corp <Ntt> | Method for allocating resource |
US6151688A (en) | 1997-02-21 | 2000-11-21 | Novell, Inc. | Resource management in a clustered computer system |
JPH11249916A (en) | 1998-03-03 | 1999-09-17 | Fujitsu Ltd | Memory management device and storage medium |
JP3528701B2 (en) | 1999-09-21 | 2004-05-24 | カシオ計算機株式会社 | Security management system |
JP3866519B2 (en) | 1999-04-30 | 2007-01-10 | 富士通株式会社 | File management system |
KR100346411B1 (en) | 2000-08-26 | 2002-08-01 | 조인구 | Automatic Encryption and Decrytion Method of File and Moving Method of File Pointer Using Thereof, and Computer Readable Recording Medium Having Thereon Programmed Automatic Encryption and Decrytion Method of File and Moving Method of File Pointer Using Thereof |
JP2002123427A (en) | 2000-10-13 | 2002-04-26 | Nec Soft Ltd | Access control system for computer |
US20020099759A1 (en) | 2001-01-24 | 2002-07-25 | Gootherts Paul David | Load balancer with starvation avoidance |
US20020161596A1 (en) | 2001-04-30 | 2002-10-31 | Johnson Robert E. | System and method for validation of storage device addresses |
GB0121747D0 (en) | 2001-09-08 | 2001-10-31 | Amphion Semiconductor Ltd | Improvements in and relating to data encryption\decryption apparatus |
US20030126092A1 (en) * | 2002-01-02 | 2003-07-03 | Mitsuo Chihara | Individual authentication method and the system |
DE60323811D1 (en) | 2003-04-09 | 2008-11-13 | Jaluna S A | operating systems |
US7299468B2 (en) | 2003-04-29 | 2007-11-20 | International Business Machines Corporation | Management of virtual machines to utilize shared resources |
EP1507357A1 (en) * | 2003-08-13 | 2005-02-16 | Mind On Move Oy | An access control and charging method for digital television applications |
US8458691B2 (en) | 2004-04-15 | 2013-06-04 | International Business Machines Corporation | System and method for dynamically building application environments in a computational grid |
US7788713B2 (en) | 2004-06-23 | 2010-08-31 | Intel Corporation | Method, apparatus and system for virtualized peer-to-peer proxy services |
US7779424B2 (en) | 2005-03-02 | 2010-08-17 | Hewlett-Packard Development Company, L.P. | System and method for attributing to a corresponding virtual machine CPU usage of an isolated driver domain in which a shared resource's device driver resides |
US7721299B2 (en) | 2005-08-05 | 2010-05-18 | Red Hat, Inc. | Zero-copy network I/O for virtual hosts |
US20070038996A1 (en) | 2005-08-09 | 2007-02-15 | International Business Machines Corporation | Remote I/O for virtualized systems |
US8645964B2 (en) | 2005-08-23 | 2014-02-04 | Mellanox Technologies Ltd. | System and method for accelerating input/output access operation on a virtual machine |
US7836303B2 (en) | 2005-12-09 | 2010-11-16 | University Of Washington | Web browser operating system |
US20070174429A1 (en) | 2006-01-24 | 2007-07-26 | Citrix Systems, Inc. | Methods and servers for establishing a connection between a client system and a virtual machine hosting a requested computing environment |
US8145760B2 (en) | 2006-07-24 | 2012-03-27 | Northwestern University | Methods and systems for automatic inference and adaptation of virtualized computing environments |
US8209682B2 (en) | 2006-07-26 | 2012-06-26 | Hewlett-Packard Development Company, L.P. | System and method for controlling aggregate CPU usage by virtual machines and driver domains over a plurality of scheduling intervals |
JP2008097356A (en) | 2006-10-12 | 2008-04-24 | Canon Inc | Digital multifunction machine, control method therefor, program, and storage medium |
JP2008262419A (en) | 2007-04-12 | 2008-10-30 | Toyota Motor Corp | Information processor, operating system selection method and program |
-
2006
- 2006-03-03 US US11/367,085 patent/US8219823B2/en not_active Expired - Fee Related
- 2006-03-06 WO PCT/US2006/007947 patent/WO2006096651A2/en active Application Filing
-
2012
- 2012-06-14 US US13/523,441 patent/US9449186B2/en not_active Expired - Fee Related
Patent Citations (67)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5093913A (en) * | 1986-12-22 | 1992-03-03 | At&T Laboratories | Multiprocessor memory management system with the flexible features of a tightly-coupled system in a non-shared memory system |
US4914653A (en) * | 1986-12-22 | 1990-04-03 | American Telephone And Telegraph Company | Inter-processor communication protocol |
US5253342A (en) * | 1989-01-18 | 1993-10-12 | International Business Machines Corporation | Intermachine communication services |
US6065037A (en) * | 1989-09-08 | 2000-05-16 | Auspex Systems, Inc. | Multiple software-facility component operating system for co-operative processor control within a multiprocessor computer system |
US5029206A (en) * | 1989-12-27 | 1991-07-02 | Motorola, Inc. | Uniform interface for cryptographic services |
US6195676B1 (en) * | 1989-12-29 | 2001-02-27 | Silicon Graphics, Inc. | Method and apparatus for user side scheduling in a multiprocessor operating system program that implements distributive scheduling of processes |
US5179702A (en) * | 1989-12-29 | 1993-01-12 | Supercomputer Systems Limited Partnership | System and method for controlling a highly parallel multiprocessor using an anarchy based scheduler for parallel execution thread scheduling |
US5513328A (en) * | 1992-10-05 | 1996-04-30 | Christofferson; James F. | Apparatus for inter-process/device communication for multiple systems of asynchronous devices |
US5454039A (en) * | 1993-12-06 | 1995-09-26 | International Business Machines Corporation | Software-efficient pseudorandom function and the use thereof for encryption |
US5584023A (en) * | 1993-12-27 | 1996-12-10 | Hsu; Mike S. C. | Computer system including a transparent and secure file transform mechanism |
US5729710A (en) * | 1994-06-22 | 1998-03-17 | International Business Machines Corporation | Method and apparatus for management of mapped and unmapped regions of memory in a microkernel data processing system |
US5721777A (en) * | 1994-12-29 | 1998-02-24 | Lucent Technologies Inc. | Escrow key management system for accessing encrypted data with portable cryptographic modules |
US5774525A (en) * | 1995-01-23 | 1998-06-30 | International Business Machines Corporation | Method and apparatus utilizing dynamic questioning to provide secure access control |
US6023506A (en) * | 1995-10-26 | 2000-02-08 | Hitachi, Ltd. | Data encryption control apparatus and method |
US5787169A (en) * | 1995-12-28 | 1998-07-28 | International Business Machines Corp. | Method and apparatus for controlling access to encrypted data files in a computer system |
US5765153A (en) * | 1996-01-03 | 1998-06-09 | International Business Machines Corporation | Information handling system, method, and article of manufacture including object system authorization and registration |
US6351813B1 (en) * | 1996-02-09 | 2002-02-26 | Digital Privacy, Inc. | Access control/crypto system |
US5841976A (en) * | 1996-03-29 | 1998-11-24 | Intel Corporation | Method and apparatus for supporting multipoint communications in a protocol-independent manner |
US6205417B1 (en) * | 1996-04-01 | 2001-03-20 | Openconnect Systems Incorporated | Server and terminal emulator for persistent connection to a legacy host system with direct As/400 host interface |
US5727206A (en) * | 1996-07-31 | 1998-03-10 | Ncr Corporation | On-line file system correction within a clustered processing system |
US6938166B1 (en) * | 1997-03-21 | 2005-08-30 | Thomson Licensing S.A. | Method of downloading of data to an MPEG receiver/decoder and MPEG transmission system for implementing the same |
US5903881A (en) * | 1997-06-05 | 1999-05-11 | Intuit, Inc. | Personal online banking with integrated online statement and checkbook user interface |
US6075938A (en) * | 1997-06-10 | 2000-06-13 | The Board Of Trustees Of The Leland Stanford Junior University | Virtual machine monitors for scalable multiprocessors |
US5991414A (en) * | 1997-09-12 | 1999-11-23 | International Business Machines Corporation | Method and apparatus for the secure distributed storage and retrieval of information |
US6249866B1 (en) * | 1997-09-16 | 2001-06-19 | Microsoft Corporation | Encrypting file system and method |
US20020091863A1 (en) * | 1997-11-17 | 2002-07-11 | Schug Klaus H. | Interoperable network communication architecture |
US5991399A (en) * | 1997-12-18 | 1999-11-23 | Intel Corporation | Method for securely distributing a conditional use private key to a trusted entity on a remote system |
US6185681B1 (en) * | 1998-05-07 | 2001-02-06 | Stephen Zizzi | Method of transparent encryption and decryption for an electronic document management system |
US6594698B1 (en) * | 1998-09-25 | 2003-07-15 | Ncr Corporation | Protocol for dynamic binding of shared resources |
US6477545B1 (en) * | 1998-10-28 | 2002-11-05 | Starfish Software, Inc. | System and methods for robust synchronization of datasets |
US6957330B1 (en) * | 1999-03-01 | 2005-10-18 | Storage Technology Corporation | Method and system for secure information handling |
US20050060710A1 (en) * | 1999-04-05 | 2005-03-17 | International Business Machines Corporation | System, method and program for implementing priority inheritance in an operating system |
US20030236745A1 (en) * | 2000-03-03 | 2003-12-25 | Hartsell Neal D | Systems and methods for billing in information management environments |
US6836888B1 (en) * | 2000-03-17 | 2004-12-28 | Lucent Technologies Inc. | System for reverse sandboxing |
US6681305B1 (en) * | 2000-05-30 | 2004-01-20 | International Business Machines Corporation | Method for operating system support for memory compression |
US7051209B1 (en) * | 2000-06-29 | 2006-05-23 | Intel Corporation | System and method for creation and use of strong passwords |
US7185192B1 (en) * | 2000-07-07 | 2007-02-27 | Emc Corporation | Methods and apparatus for controlling access to a resource |
US20040093455A1 (en) * | 2000-08-31 | 2004-05-13 | Duncan Samuel H. | System and method for providing forward progress and avoiding starvation and livelock in a multiprocessor computer system |
US20020065876A1 (en) * | 2000-11-29 | 2002-05-30 | Andrew Chien | Method and process for the virtualization of system databases and stored information |
US7389415B1 (en) * | 2000-12-27 | 2008-06-17 | Cisco Technology, Inc. | Enabling cryptographic features in a cryptographic device using MAC addresses |
US6754820B1 (en) * | 2001-01-30 | 2004-06-22 | Tecsec, Inc. | Multiple level access system |
US20020129085A1 (en) * | 2001-03-08 | 2002-09-12 | International Business Machines Corporation | Inter-partition message passing method, system and program product for managing workload in a partitioned processing environment |
US20030005300A1 (en) * | 2001-04-12 | 2003-01-02 | Noble Brian D. | Method and system to maintain portable computer data secure and authentication token for use therein |
US7243370B2 (en) * | 2001-06-14 | 2007-07-10 | Microsoft Corporation | Method and system for integrating security mechanisms into session initiation protocol request messages for client-proxy authentication |
US20020194496A1 (en) * | 2001-06-19 | 2002-12-19 | Jonathan Griffin | Multiple trusted computing environments |
US20060095779A9 (en) * | 2001-08-06 | 2006-05-04 | Shivaram Bhat | Uniform resource locator access management and control system and method |
US7313694B2 (en) * | 2001-10-05 | 2007-12-25 | Hewlett-Packard Development Company, L.P. | Secure file access control via directory encryption |
US20030140179A1 (en) * | 2002-01-04 | 2003-07-24 | Microsoft Corporation | Methods and system for managing computational resources of a coprocessor in a computing system |
US7231657B2 (en) * | 2002-02-14 | 2007-06-12 | American Management Systems, Inc. | User authentication system and methods thereof |
US20030187784A1 (en) * | 2002-03-27 | 2003-10-02 | Michael Maritzen | System and method for mid-stream purchase of products and services |
US6886081B2 (en) * | 2002-09-17 | 2005-04-26 | Sun Microsystems, Inc. | Method and tool for determining ownership of a multiple owner lock in multithreading environments |
US20040123162A1 (en) * | 2002-12-11 | 2004-06-24 | Lightbridge, Inc. | Methods and systems for authentication |
US20060168381A1 (en) * | 2003-03-13 | 2006-07-27 | International Business Machines Corporation | Apparatus and method for controlling resource transfers in a logically partitioned computer system |
US7353535B2 (en) * | 2003-03-31 | 2008-04-01 | Microsoft Corporation | Flexible, selectable, and fine-grained network trust policies |
US7316019B2 (en) * | 2003-04-24 | 2008-01-01 | International Business Machines Corporation | Grouping resource allocation commands in a logically-partitioned system |
US7047337B2 (en) * | 2003-04-24 | 2006-05-16 | International Business Machines Corporation | Concurrent access of shared resources utilizing tracking of request reception and completion order |
US20040215837A1 (en) * | 2003-04-24 | 2004-10-28 | International Business Machines Corporation | Grouping resource allocation commands in a logically-partitioned system |
US7805726B1 (en) * | 2003-05-09 | 2010-09-28 | Oracle America, Inc. | Multi-level resource limits for operating system partitions |
US20050039057A1 (en) * | 2003-07-24 | 2005-02-17 | Amit Bagga | Method and apparatus for authenticating a user using query directed passwords |
US20050120160A1 (en) * | 2003-08-20 | 2005-06-02 | Jerry Plouffe | System and method for managing virtual servers |
US20060143350A1 (en) * | 2003-12-30 | 2006-06-29 | 3Tera, Inc. | Apparatus, method and system for aggregrating computing resources |
US20050191609A1 (en) * | 2004-02-14 | 2005-09-01 | Adaptigroup Llc | Method and system for improving performance on standardized examinations |
US20060010489A1 (en) * | 2004-07-06 | 2006-01-12 | Nastou Panayiotis E | Method and system for enhancing security in wireless stations of a local area network (LAN) |
US7814023B1 (en) * | 2005-09-08 | 2010-10-12 | Avaya Inc. | Secure download manager |
US20070113229A1 (en) * | 2005-11-16 | 2007-05-17 | Alcatel | Thread aware distributed software system for a multi-processor |
US20080189715A1 (en) * | 2006-03-14 | 2008-08-07 | International Business Machines Corporation | Controlling resource transfers in a logically partitioned computer system |
US20070288941A1 (en) * | 2006-06-07 | 2007-12-13 | Andrew Dunshea | Sharing kernel services among kernels |
Non-Patent Citations (3)
Title |
---|
Akl, Selim G. Taylor, Peter D. , Cryptographic solution to a problem of access control in a hierarchy, August 1983 ,Volume: 1 Issue: 3 On page(s): 239 - 248 ISSN: 0734-2071 * |
Crampton, J.; Martin, K.; Wild, P.; On key assignment for hierarchical access control, Computer Security Foundations Workshop, 2006. 19th IEEE * |
Kayem, Anne V.D.M, On replacing cryptographic keys in hierarchical key management systems.,Journal of Computer Security; 2008, Vol. 16 Issue 3, p289-309, 21p, 7 Diagrams, 1 Chart, 3 Graphs * |
Cited By (30)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8458484B2 (en) * | 2006-09-12 | 2013-06-04 | Microlatch Pty Ltd | Password generator |
US20090282258A1 (en) * | 2006-09-12 | 2009-11-12 | Microlatch Pty Ltd. | Password generator |
US20080066167A1 (en) * | 2006-09-12 | 2008-03-13 | Andri Michael J | Password based access including error allowance |
US20080220872A1 (en) * | 2007-03-08 | 2008-09-11 | Timothy Michael Midgley | Method and apparatus for issuing a challenge prompt in a gaming environment |
US20090119475A1 (en) * | 2007-11-01 | 2009-05-07 | Microsoft Corporation | Time based priority modulus for security challenges |
US8886930B1 (en) * | 2008-01-22 | 2014-11-11 | F5 Networks, Inc. | DNS flood protection platform for a network |
US20100122341A1 (en) * | 2008-11-13 | 2010-05-13 | Palo Alto Research Center Incorporated | Authenticating users with memorable personal questions |
US8161534B2 (en) * | 2008-11-13 | 2012-04-17 | Palo Alto Research Center Incorporated | Authenticating users with memorable personal questions |
US9843582B2 (en) | 2010-12-30 | 2017-12-12 | Trans Union Llc | Identity verification systems and methods |
WO2012092517A2 (en) * | 2010-12-30 | 2012-07-05 | Transunion Llc | Identity verification systems and methods |
CN103380430A (en) * | 2010-12-30 | 2013-10-30 | 环联有限责任公司 | Identity verification systems and methods |
US8695105B2 (en) | 2010-12-30 | 2014-04-08 | Trans Union Llc | Identity verification systems and methods |
WO2012092517A3 (en) * | 2010-12-30 | 2012-10-26 | Transunion Llc | Identity verification systems and methods |
CN105516198A (en) * | 2010-12-30 | 2016-04-20 | 环联有限责任公司 | Identity verification systems and methods |
US20130138954A1 (en) * | 2011-11-29 | 2013-05-30 | Dell Products L.P. | Mode sensitive encryption |
US9256758B2 (en) * | 2011-11-29 | 2016-02-09 | Dell Products L.P. | Mode sensitive encryption |
US20160156547A1 (en) * | 2011-11-29 | 2016-06-02 | Dell Products L.P. | Mode sensitive encryption |
US9509592B2 (en) * | 2011-11-29 | 2016-11-29 | Dell Products L.P. | Mode sensitive encryption |
US11093623B2 (en) * | 2011-12-09 | 2021-08-17 | Sertainty Corporation | System and methods for using cipher objects to protect data |
US20130263230A1 (en) * | 2012-03-30 | 2013-10-03 | Anchorfree Inc. | Method and system for statistical access control with data aggregation |
US10623400B2 (en) * | 2013-10-14 | 2020-04-14 | Greg Hauw | Method and device for credential and data protection |
JP2015119226A (en) * | 2013-12-16 | 2015-06-25 | Kddi株式会社 | User authentication device, system, method, and program |
WO2016025954A1 (en) * | 2014-08-15 | 2016-02-18 | EdLogics, LLC | Health information processing network |
US20160049084A1 (en) * | 2014-08-15 | 2016-02-18 | EdLogics, LLC | Health information processing network |
US10331867B2 (en) * | 2016-10-05 | 2019-06-25 | Plantronics, Inc. | Enhanced biometric user authentication |
US20220157475A1 (en) * | 2018-06-06 | 2022-05-19 | Reliant Immune Diagnostics, Inc. | Code trigger telemedicine session |
US11055397B2 (en) * | 2018-10-05 | 2021-07-06 | Capital One Services, Llc | Methods, mediums, and systems for establishing and using security questions |
US10967278B1 (en) * | 2019-10-02 | 2021-04-06 | Kieran Goodwin | System and method of leveraging anonymity of computing devices to facilitate truthfulness |
US10846385B1 (en) | 2019-10-11 | 2020-11-24 | Capital One Services, Llc | Systems and methods for user-authentication despite error-containing password |
US11354389B2 (en) | 2019-10-11 | 2022-06-07 | Capital One Services, Llc | Systems and methods for user-authentication despite error-containing password |
Also Published As
Publication number | Publication date |
---|---|
US20120303965A1 (en) | 2012-11-29 |
WO2006096651A2 (en) | 2006-09-14 |
US8219823B2 (en) | 2012-07-10 |
US9449186B2 (en) | 2016-09-20 |
WO2006096651A3 (en) | 2008-01-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9449186B2 (en) | System for and method of managing access to a system using combinations of user information | |
US9740849B2 (en) | Registration and authentication of computing devices using a digital skeleton key | |
US6317834B1 (en) | Biometric authentication system with encrypted models | |
EP2731041B1 (en) | Computer system for storing and retrieval of encrypted data items, client computer, computer program product and computer-implemented method | |
US11599624B2 (en) | Graphic pattern-based passcode generation and authentication | |
JP6572461B1 (en) | Data management system and data management method | |
US7461399B2 (en) | PIN recovery in a smart card | |
US6910132B1 (en) | Secure system and method for accessing files in computers using fingerprints | |
US20180262503A1 (en) | User-generated session passcode for re-authentication | |
US20060036868A1 (en) | User authentication without prior user enrollment | |
US20070124321A1 (en) | Storing digital secrets in a vault | |
US20160117521A1 (en) | Computer system for storing and retrieval of encrypted data items, client computer, computer program product and computer-implemented method | |
US9026798B2 (en) | User selectable signature | |
CN100444184C (en) | Method and system of software identify identification | |
US11514153B2 (en) | Method of registering and authenticating a user of an online system | |
US20060137000A1 (en) | Method binding network administrators as the root user on linux | |
US11831766B2 (en) | Generation of encryption keys using biometrics | |
Awang et al. | A pattern-based password authentication scheme for minimizing shoulder surfing attack | |
Boonkrong et al. | Password-based authentication | |
US20230006828A1 (en) | Multiple factor authentication for portable memory storage system | |
CA2302619C (en) | Generation of repeatable cryptographic key based on varying parameters | |
Menkus | Understanding Passwords |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
AS | Assignment |
Owner name: ENCRYPTHENTICA LIMITED, HONG KONG Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:CARTER, ERNST B.;REEL/FRAME:029545/0162 Effective date: 20121224 |
|
FPAY | Fee payment |
Year of fee payment: 4 |
|
FEPP | Fee payment procedure |
Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY |
|
LAPS | Lapse for failure to pay maintenance fees |
Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY |
|
STCH | Information on status: patent discontinuation |
Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362 |